Your message dated Thu, 25 Mar 2021 19:11:10 +0100
with message-id <[email protected]>
and subject line Re: Bug#985670: CVE-2020-27781 CVE-2020-27839
has caused the Debian Bug report #985670,
regarding CVE-2020-27781 CVE-2020-27839
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
985670: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985670
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ceph
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
CVE-2020-27781
https://bugs.launchpad.net/manila/+bug/1904015
https://bugzilla.redhat.com/show_bug.cgi?id=1900109
https://github.com/ceph/ceph/commit/1b8a634fdcd94dfb3ba650793fb1b6d09af65e05
(octopus)
https://github.com/ceph/ceph/commit/7e3e4e73783a98bb07ab399438eb3aab41a6fc8b
(nautilus)
https://github.com/ceph/ceph/commit/956ceb853a58f6b6847b31fac34f2f0228a70579
(luminous)
CVE-2020-27839
https://tracker.ceph.com/issues/44591
https://github.com/ceph/ceph/pull/38259
https://github.com/ceph/ceph/commit/23f2604d6f9ac16779b4ac43aab6e4e434f2e8ec
Cheers,
Moritz
--- End Message ---
--- Begin Message ---
Source: ceph
Source-Version: 14.2.18-1
On Mon, Mar 22, 2021 at 11:17:02AM +0100, Moritz Muehlenhoff wrote:
> On Mon, Mar 22, 2021 at 10:11:29AM +0100, Thomas Goirand wrote:
> > On 3/21/21 7:59 PM, Moritz Muehlenhoff wrote:
> > > Package: ceph
> > > Severity: important
> > > Tags: security
> > > X-Debbugs-Cc: Debian Security Team <[email protected]>
> > >
> > > CVE-2020-27781
> > > https://bugs.launchpad.net/manila/+bug/1904015
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1900109
> > > https://github.com/ceph/ceph/commit/1b8a634fdcd94dfb3ba650793fb1b6d09af65e05
> > > (octopus)
> > > https://github.com/ceph/ceph/commit/7e3e4e73783a98bb07ab399438eb3aab41a6fc8b
> > > (nautilus)
> > > https://github.com/ceph/ceph/commit/956ceb853a58f6b6847b31fac34f2f0228a70579
> > > (luminous)
> > >
> > > CVE-2020-27839
> > > https://tracker.ceph.com/issues/44591
> > > https://github.com/ceph/ceph/pull/38259
> > > https://github.com/ceph/ceph/commit/23f2604d6f9ac16779b4ac43aab6e4e434f2e8ec
> > >
> > > Cheers,
> > > Moritz
> > >
> >
> > Hi Moritz,
> >
> > To me, these issues were fixed in 14.2.16, which is already in
> > unstable/bullseye, and aslo in Buster backports. It matches what I have
> > in memory (but I'm not 100% sure).
> >
> > I tried applying the above patches, and that's how it felt too.
>
> I can confirm that CVE-2020-27781 is fixed in sid,
> 7e3e4e73783a98bb07ab399438eb3aab41a6fc8b
> landed in v14.2.16 and thus in unstable. I've updated the Security Tracker.
>
> But CVE-2020-27839 was fixed in the nautilus branch in
> 843b2e9cd4cb996165d1818ebff125f1414f90c5
> which only ended up in v14.2.17 and is thus missing in unstable/testing.
> Right?
And so adressed it looks with the 14.2.18-1 upload to unstable,
marking the bug as such fixed.
Regards,
Salvatore
--- End Message ---
