Control: found -1 18.2.4+ds-1 Control: notfound -1 18.2.7-2 Control: fixed -1 18.2.6-1
Hi Thomas, On Mon, Jun 30, 2025 at 10:52:59AM +0200, Thomas Goirand wrote: > On 6/27/25 22:05, Salvatore Bonaccorso wrote: > > Source: ceph > > Version: 18.2.7-2 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: [email protected], Debian Security Team > > <[email protected]> > > > > Hi, > > > > The following vulnerability was published for ceph. > > > > CVE-2025-52555[0]: > > | Ceph is a distributed object, block, and file storage platform. In > > | versions 17.2.7, 18.2.1 through 18.2.4, and 19.0.0 through 19.2.2, > > | an unprivileged user can escalate to root privileges in a ceph-fuse > > | mounted CephFS by chmod 777 a directory owned by root to gain > > | access. The result of this is that a user could read, write and > > | execute to any directory owned by root as long as they chmod 777 it. > > | This impacts confidentiality, integrity, and availability. It is > > | patched in versions 17.2.8, 18.2.5, and 19.2.3. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2025-52555 > > https://www.cve.org/CVERecord?id=CVE-2025-52555 > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=2374412 > > [2] https://www.openwall.com/lists/oss-security/2025/06/26/1 > > [3] https://github.com/ceph/ceph/pull/60314 > > [4] https://github.com/ceph/ceph/security/advisories/GHSA-89hm-qq33-2fjm > > > > Please adjust the affected versions in the BTS as needed. > > > > Regards, > > Salvatore > > Hi Salvatore, > > FYI, the version 18.2.7-2 currently in unstable & testing isn't affected, as > it already contains the patch (I just checked). Please adjust the security > tracker accordingly. Yes looks correct, for some reason I got the metadata wrong for filling the bug. Regards, Salvatore
