Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: Bernd Zeimetz <b...@debian.org>, Moritz Muehlenhoff <j...@debian.org>, Adam Borowski <kilob...@angband.pl>
Dear release team, I've uploaded version 14.2.20-2 of Ceph. This is the last point release from usptream, including the fixes for CVE-2021-20288 and CVE-2020-27839. With such large software such as Ceph, the debdiff can be quite big. This unfortunately is no exception. I understand that the rule is that the release team insist reviewing all changes. That's clearly not possible considering the debdiff size. However, I don't think it is reasonable to not include point release fixes from upstream, just like we do with other large software in Debian. I intend to keep Ceph 14.2.x updated during the lifetime of Bullseye, following upstream updates, hopefully you will agree that this is the sensitive thing to do. I've uploaded the debdiff here: http://shade.infomaniak.ch/ceph_14.2.20-2.debdiff Note that I have setup and used version 14.2.20-2 in a production OpenStack cluster: Ceph is used there for storing Glance images, Cinder volumes, and Nova VM disks. I haven't seen any regression. Please unblock package ceph/14.2.20-2 Cheers, Thomas Goirand (zigo) P.S: bzed, jmm and kilobyte as CC after discussing this update with bzed who co-maintains the Ceph package. Also, this bug is instead of #985885 that I have closed.
