Your message dated Mon, 18 Nov 2019 15:35:48 +0100 with message-id <f24ae4e5-887b-122f-f767-c2dda4302...@bzed.de> and subject line Fixed in 14.2.4-1 has caused the Debian Bug report #936015, regarding ceph: CVE-2019-10222 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 936015: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936015 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ceph Version: 12.2.11+dfsg1-2.1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/ceph/ceph/pull/2996 Hi, The following vulnerability was published for ceph. CVE-2019-10222[0]: unauthenticated clients can crash RGW For the 12.2.x series this is only triggerable if an experimental feature is enabled. Thus I think this does not warrant a DSA but would be potentially nice to have fixed in the next point release. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-10222 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10222 [1] https://github.com/ceph/ceph/pull/2996 [2] https://www.openwall.com/lists/oss-security/2019/08/28/9 Regards, Salvatore
--- End Message ---
--- Begin Message ---Version: 14.2.4-1 Forgot to mention that bug in the changelog unfortunately. ceph (14.2.4-1) unstable; urgency=medium * Uploading 14.2.4 to Debian. (Closes: #936282, #943961, #940854, #942733) * Adding myself to Uploaders * Merging the work done in Ubuntu. [ Dariusz Gadomski ] * d/p/issue37490.patch: Cherry pick fix to optimize LVM queries in ceph-volume, resolving performance issues in systems under heavy load or with large numbers of disks (LP: #1850754). [ James Page ] * d/p/issue40114.patch: Cherry pick endian fixes to resolve issues using Ceph on big-endian architectures such as s390x (LP: #1851290). * New upstream release (LP: #1850901): - d/p/more-py3-compat.patch,ceph-volume-wait-for-lvs.patch, ceph-volume-wait-for-lvs.patch: Drop, included upstream. - d/p/bluefs-use-uint64_t-for-len.patch: Cherry pick fix to resolve FTBFS on 32 bit architectures. * d/rules: Disable SPDK support as this generates a build which has a minimum CPU baseline of 'corei7' on x86_64 which is not compatible with older CPU's (LP: #1842020). * d/p/issue40781.patch: Cherry pick fix for py3 compatibility in ceph- crash. [ Eric Desrochers ] * Ensure that daemons are not automatically restarted during package upgrades (LP: #1840347): - d/rules: Use "--no-restart-after-upgrade" and "--no-stop-on-upgrade" instead of "--no-restart-on-upgrade". - d/rules: Drop exclusion for ceph-[osd,mon,mds] for restarts. [ Jesse Williamson ] * d/p/civetweb-755-1.8-somaxconn-configurable*.patch: Backport changes to civetweb to allow tuning of SOMAXCONN in Ceph RADOS Gateway deployments (LP: #1838109). [ James Page ] * d/p/ceph-volume-wait-for-lvs.patch: Cherry pick inflight fix to ensure that required wal and db devices are present before activating OSD's (LP: #1828617). [ Steve Beattie ] * SECURITY UPDATE: RADOS gateway remote denial of service - d/p/CVE-2019-10222.patch: rgw: asio: check the remote endpoint before processing requests. - CVE-2019-10222 [ James Page ] * New upstream release. * d/p/fix-py3-encoding-fsid.patch: Drop, no longer required. * d/p/pybind-auto-encode-decode-cstr.patch: Drop, reverted upstream. * d/p/fix-py3-encoding-fsid.patch: Cherry pick correct fix to resolve FSID encoding issues under Python 3 (LP: #1833079). * d/p/pybind-auto-encode-decode-cstr.patch: Cherry pick fix to ensure that encoding/decoding of strings is correctly performed under Python 3 (LP: #1833079). * New upstream release. * d/p/misc-32-bit-fixes.patch: Drop, included upstream. * d/p/py37-compat.patch: Drop, included upstream. * d/p/collections.abc-compat.patch: Drop, included in release. * d/p/*: Refresh. * d/*: Re-sync packaging with upstream for Nautilus release. * d/control,ceph-test.*,rules: Disable build of test binaries, drop ceph-test binary package (reduce build size). * d/control,rules: Use system boost libraries (reduce build time). * d/control: Add dependency on smartmontools, suggest use of nvme-cli for ceph-osd package. * d/p/32bit-*.patch: Fix misc 32 bit related issues which cause compilation failures on armhf and i386 architectures. * d/control: Add Breaks/Replaces on ceph-common for ceph-argparse to deal with move of Python module. * New upstream release (LP: #1810766). * d/p/*: Refresh. * d/p/more-py3-compat.patch: Add more py3 fixes. * d/p/more-py3-compat.patch: Misc Python 3 fixes in ceph-create-keys. * d/tests/python-ceph: Fix python3 test support resolving autopkgtest failure. * New upstream point release. * d/p/*: Refresh. * d/control,python-*.install,rules: Drop Python 2 support. * d/tests: Update for Python 2 removal. * d/p/misc-32-bit-fixes.patch: Update type of rgw_max_attr_name_len, resolving SIGABRT in radosgw (LP: #1805145). * d/p/boost-py37-compat.patch: Fix compilation issue with boost imports conflicting with ceph's assert.h header. * d/p/collections.abc-compat.patch: Selective cherry-pick of upstream fix for future compatibility with Python 3.8, avoiding deprecation warnings under Python 3.7. * d/ceph-mds.install: Install missing systemd configuration (LP: #1789927). * Re-instate 32bit architectures. - d/control: Switch back to linux-any - d/p/misc-32-bit-fixes.patch: Misc fixes for compilation failures under 32 bit architectures. - d/rules: Disable SPDK integration under i386. * Repack upstream tarball, excluding non-DFSG sources (LP: #1750848): - d/copyright: Purge upstream tarball of minified js files, which are neither shipped in binaries or required for package build. - d/watch: Add dversionmangle for +dfsg\d version suffix. * d/control,rules: Drop requirement for gcc-7 for arm64. * d/ceph-osd.udev: Add udev rules for sample LVM layout for OSD's, ensuring that LV's have ceph:ceph ownership (LP: #1767087). * d/copyright,source.lintian-overrides: Exclude jsonchecker component of rapidjson avoiding license-problem-json-evil non-free issue. * New upstream point release. * d/control: Remove obsolete X{S}-* fields. * New upstream release. * Sync with changes in upstream packaging: - d/*.install,rules: Use generated systemd unit files for install - d/ceph-test.install: Drop binaries removed upstream. * d/p/*: Refresh and drop as needed. * d/*.symbols: Refresh for new release. * d/rules,calc-max-parallel.sh: Automatically calculate the maximum number of parallel compilation units based on total memory. * d/control: Drop support for 32 bit architectures. * d/control: Update Vcs-* fields for Ubuntu. * d/control: Drop min python version field. -- Bernd Zeimetz <b...@debian.org> Mon, 18 Nov 2019 14:18:10 +0100 -- Bernd Zeimetz Debian GNU/Linux Developer http://bzed.de http://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
--- End Message ---
