ceph: pyopenssl CVE fixes#523433
Merged
Merged
Conversation
There was a problem hiding this comment.
This report is automatically generated by the PR / Check / cherry-pick CI workflow.
Some of the commits in this PR require the author's and reviewer's attention.
If you need to merge this PR despite the warnings, please dismiss this review shortly before merging.
Important
5115479 is not a cherry-pick, because: only applicable to 25.11. Please review this commit manually.
Hint: The full diffs are also available in the runner logs with slightly better highlighting.
Contributor
Author
I'll just ignore those GH Action failures then I guess. |
Belated fixes for some CVEs for the vendored pyopenssl. The Ceph source code directly is very unlikely to use (and in particular misuse) the affected parts of the API. Both `set_cookie_generate_callback` and `set_tlsext_servername_callback` have no actual occurrences in the tarball, so any use would be limited to dependencies, which would be hard to track. The major merge conflicts for backporting have been changes to the changlog which I've simply cut from the diff altogether. Contained should be the fixes and the tests only. Since this version of Ceph is phased out with the ongoing release of 26.05, moving to the new release and thus Ceph Tentacle is the recommended approach anyway, this is sort of a stopgap measure. Not-cherry-picked-because: only applicable to 25.11 Signed-off-by: benaryorg <binary@benary.org>
14481a0 to
5115479
Compare
Contributor
Author
|
Made the bots marginally more happy, the diff is a noop. |
Merged
via the queue into
NixOS:release-25.11
with commit May 27, 2026
e19a38a
31 of 33 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Belated fixes for some CVEs for the vendored pyopenssl.
The Ceph source code directly is very unlikely to use (and in particular misuse) the affected parts of the API.
Both
set_cookie_generate_callbackandset_tlsext_servername_callbackhave no actual occurrences in the tarball, so any use would be limited to dependencies, which would be hard to track.The major merge conflicts for backporting have been changes to the changlog which I've simply cut from the diff altogether.
Contained should be the fixes and the tests only.
Since this version of Ceph is phased out with the ongoing release of 26.05, moving to the new release and thus Ceph Tentacle is the recommended approach anyway, this is sort of a stopgap measure.
Above is the commit message verbatim.
Links:
Directly against release-25.11 because this is just for 25.11.
Things done
passthru.tests.1nixpkgs-reviewon this PR. See nixpkgs-review usage../result/bin/.Footnotes
Commits only tested on top of nixos-25.11, since release-25.11 requires recompiling the Linux kernel and a bunch of other stuff atm and it's already unreasonably hot in this room. ↩
The commits that were cherry-picked for creating the patch themselves declare their AI affiliation, while the process of cherry-picking and everything surrounding it was done without any AI involvement whatsoever. ↩