CephSigningKeyBinaryDownloads

Ceph Signing Key and Binary Downloads

It was discovered that Ceph community sites were compromised. Ceph verified the upstream source that is distributed via http://download.ceph.com/tarballs/ is safe. Ubuntu verified that the source tarballs used in the Ubuntu archive match the verified safe upstream versions. People using ceph packages from the official Ubuntu repositories are not affected.

Those using debs downloaded from Ceph's affected community sites are affected and you should update your APT keys and packages as per Ceph's announcement.

Timeline

  • 2015 Sep 09: Ubuntu first became aware of the issue

  • 2015 Sep 17: Ceph announces issue to the public

CategoryTemplate

SecurityTeam/KnowledgeBase/CephSigningKeyBinaryDownloads (last edited 2015-09-18 16:27:38 by tyhicks)