Your message dated Thu, 27 May 2021 11:33:37 +0000 with message-id <e1lmegf-0000th...@fasolo.debian.org> and subject line Bug#988889: fixed in ceph 14.2.21-1 has caused the Debian Bug report #988889, regarding ceph: CVE-2021-3524 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 988889: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988889 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ceph Version: 14.2.20-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for ceph. CVE-2021-3524[0]: | A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object | Gateway) in versions before 14.2.21. The vulnerability is related to | the injection of HTTP headers via a CORS ExposeHeader tag. The newline | character in the ExposeHeader tag in the CORS configuration file | generates a header injection in the response when the CORS request is | made. In addition, the prior bug fix for CVE-2020-10753 did not | account for the use of \r as a header separator, thus a new flaw has | been created. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3524 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3524 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1951674 [2] https://github.com/ceph/ceph/commit/763aebb94678018f89427137ffbc0c5205b1edc1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ceph Source-Version: 14.2.21-1 Done: Thomas Goirand <z...@debian.org> We believe that the bug you reported is fixed in the latest version of ceph, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 988...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated ceph package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 27 May 2021 12:04:21 +0200 Source: ceph Architecture: source Version: 14.2.21-1 Distribution: unstable Urgency: high Maintainer: Ceph Packaging Team <team+c...@tracker.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Closes: 988888 988889 988890 Changes: ceph (14.2.21-1) unstable; urgency=high . * New upstream release, resolving these: - CVE-2021-3509: Cross Site Scripting via token Cookie (Closes: #988888). - CVE-2021-3524: injection of HTTP headers via a CORS ExposeHeader tag in the Ceph Storage RadosGW (Closes: #988889). - CVE-2021-3531: RadosGW denial of service (crash) (Closes: #988890). Checksums-Sha1: fec4210b9364ca0f6ed36b7dd0814334ded0c919 5896 ceph_14.2.21-1.dsc fa9070f10c96b7eee086509ac443b84392a55a65 129272778 ceph_14.2.21.orig.tar.gz 0112d8ae23a32d3ac8b16da2cd957912bda705d7 112220 ceph_14.2.21-1.debian.tar.xz ef02f592d5d86ffb4f6e67a736fa722a6d89f65a 34303 ceph_14.2.21-1_amd64.buildinfo Checksums-Sha256: c4b7c100dbc5ed59d77dcf814cb72c50acdab65e05ce6849becb184f966bb4c6 5896 ceph_14.2.21-1.dsc bcedc6a89dd660728b61299e8e12556e3782565c44a75e270016a9736bee0dc2 129272778 ceph_14.2.21.orig.tar.gz 417270dd57a6a4168c9d45e8e66d1d9889abd88dedf48ab53d6b01b80f512140 112220 ceph_14.2.21-1.debian.tar.xz d4251304b8eb33aed7a581c71de3c334eb1a5dc5dc9466e3d4a0541b71e8d9f4 34303 ceph_14.2.21-1_amd64.buildinfo Files: 937146d8d8601997e56685f2672210f5 5896 admin optional ceph_14.2.21-1.dsc 80c75b5421665fd1e412d29ce74313a2 129272778 admin optional ceph_14.2.21.orig.tar.gz 24f0be4481df558524a2ace8d29994a0 112220 admin optional ceph_14.2.21-1.debian.tar.xz 13047b94f0ac89cbeba8b0e087a55890 34303 admin optional ceph_14.2.21-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmCvf1cACgkQ1BatFaxr Q/6XABAAoBy8R5V4Q8cBDEGlNs21UPvIgoAili3Z21Zx8KdAThB0aNx2vLDPNke8 JmmhLFNH0jVU42FlRSVfRj4dPCGu/rVQyv9DCs/+XMXBBfDbFAqaBvVp258UvnkL A/uKPG+oG71DVKdS+5nnWWDXpYFjhZjD3XhoRsh7UxSqdWGjx6rZ6zjtsA19IPL2 WTYraGZUBEUoc8fw//GkKjOGaIr6J0Lenm6hUG1fB7JcKFNtc1iiaYKCKVFGoOLZ uayJUAu0be5KI/7o4DIXrZctWcXxrGdRUBWV7Go/dv9gVZ7GjTFCywrwA289PS4Y /dY3u00c91Cyg42B2At8Z9LF8tvSORVWayYhfp1j/L3+NvVOgMRgAAwHj2PyaoZX CBCuDhK8EMTudRmI8IJ4/ZY1llZPadigwmFgTrxtWFPQK98+ir1nHFm7go5LP9aE n9Xb1syvGX78sMyQkIuZuI8PR7eLJhrpfXGORUvwf7AhvIXhOCAJh3C4MzOd5I9D Z9R9r+4cQIudtYHXFO/2EGpVMNj5Rzkh6Eu+lVaocQsoVqqCEvCTdAIHGqzkleuM m6pjWgo47H+37cgTP0VOr36MI7VAKtDnlrNJaSyAE5zSFMo8Lffu5diWrWo4bP5H DlPTJLmGvM3QBqp83AlRzzXGFAFpZw5tPeeDyQy38CBfDOaLNbs= =x9Rx -----END PGP SIGNATURE-----
--- End Message ---
