Public bug reported: [Impact] This release fixes several bugs. We would like to make sure all of our users have access to these improvements.
The update contains the following package updates: * ceph 15.2.12 [Test Case] The following SRU process was followed: https://wiki.ubuntu.com/OpenStackUpdates In order to avoid regression of existing users, the OpenStack team will run their continuous integration test against the packages that are in -proposed. A successful run of all available tests will be required before the proposed packages can be let into -updates. The OpenStack team will be in charge of attaching the output summary of the executed tests. The OpenStack team members will not mark ‘verification-done’ until this has happened. [Regression Potential] In order to mitigate the regression potential, the results of the aforementioned tests are attached to this bug. [Upstream release announcement] V15.2.12 OCTOPUS This is a hotfix release addressing a number of security issues and regressions. We recommend all users update to this release. CHANGELOG mgr/dashboard: fix base-href: revert it to previous approach (issue#50684, Avan Thakkar) mgr/dashboard: fix cookie injection issue (CVE-2021-3509: Dashboard XSS via token cookie, Ernesto Puerta) rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name (CVE-2021-3531: Swift API denial of service, Felix Huettner) rgw: sanitize r in s3 CORSConfiguration’s ExposeHeader (CVE-2021-3524: HTTP header injects via CORS in RGW, Sergey Bobrov, Casey Bodley) ** Affects: cloud-archive Importance: Undecided Status: Invalid ** Affects: cloud-archive/ussuri Importance: High Status: Triaged ** Affects: ceph (Ubuntu) Importance: Undecided Status: Invalid ** Affects: ceph (Ubuntu Focal) Importance: High Status: Triaged ** Affects: ceph (Ubuntu Groovy) Importance: High Status: Triaged ** Also affects: ceph (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: ceph (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: ceph (Ubuntu Focal) Status: New => Triaged ** Changed in: ceph (Ubuntu Groovy) Status: New => Triaged ** Changed in: ceph (Ubuntu) Status: New => Invalid ** Changed in: ceph (Ubuntu Groovy) Importance: Undecided => High ** Changed in: ceph (Ubuntu Focal) Importance: Undecided => High ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3509 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3531 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3524 ** Description changed: - TBC + Upstream release announcement: + + V15.2.12 OCTOPUS + + This is a hotfix release addressing a number of security issues and + regressions. We recommend all users update to this release. + + + CHANGELOG + mgr/dashboard: fix base-href: revert it to previous approach (issue#50684, Avan Thakkar) + + mgr/dashboard: fix cookie injection issue (CVE-2021-3509: Dashboard XSS + via token cookie, Ernesto Puerta) + + rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name + (CVE-2021-3531: Swift API denial of service, Felix Huettner) + + rgw: sanitize r in s3 CORSConfiguration’s ExposeHeader (CVE-2021-3524: + HTTP header injects via CORS in RGW, Sergey Bobrov, Casey Bodley) ** Description changed: - Upstream release announcement: + [Impact] + This release fixes several bugs. We would like to make sure all of our users have access to these improvements. + + The update contains the following package updates: + + * ceph 15.2.11 + + [Test Case] + The following SRU process was followed: + + https://wiki.ubuntu.com/OpenStackUpdates + + In order to avoid regression of existing users, the OpenStack team will + run their continuous integration test against the packages that are in + -proposed. A successful run of all available tests will be required + before the proposed packages can be let into -updates. + + The OpenStack team will be in charge of attaching the output summary of + the executed tests. The OpenStack team members will not mark + ‘verification-done’ until this has happened. + + [Regression Potential] + In order to mitigate the regression potential, the results of the + aforementioned tests are attached to this bug. + + [Upstream release announcement] V15.2.12 OCTOPUS This is a hotfix release addressing a number of security issues and regressions. We recommend all users update to this release. - CHANGELOG mgr/dashboard: fix base-href: revert it to previous approach (issue#50684, Avan Thakkar) mgr/dashboard: fix cookie injection issue (CVE-2021-3509: Dashboard XSS via token cookie, Ernesto Puerta) rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name (CVE-2021-3531: Swift API denial of service, Felix Huettner) rgw: sanitize r in s3 CORSConfiguration’s ExposeHeader (CVE-2021-3524: HTTP header injects via CORS in RGW, Sergey Bobrov, Casey Bodley) ** Description changed: [Impact] This release fixes several bugs. We would like to make sure all of our users have access to these improvements. The update contains the following package updates: - * ceph 15.2.11 + * ceph 15.2.12 [Test Case] The following SRU process was followed: https://wiki.ubuntu.com/OpenStackUpdates In order to avoid regression of existing users, the OpenStack team will run their continuous integration test against the packages that are in -proposed. A successful run of all available tests will be required before the proposed packages can be let into -updates. The OpenStack team will be in charge of attaching the output summary of the executed tests. The OpenStack team members will not mark ‘verification-done’ until this has happened. [Regression Potential] In order to mitigate the regression potential, the results of the aforementioned tests are attached to this bug. [Upstream release announcement] V15.2.12 OCTOPUS This is a hotfix release addressing a number of security issues and regressions. We recommend all users update to this release. CHANGELOG mgr/dashboard: fix base-href: revert it to previous approach (issue#50684, Avan Thakkar) mgr/dashboard: fix cookie injection issue (CVE-2021-3509: Dashboard XSS via token cookie, Ernesto Puerta) rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name (CVE-2021-3531: Swift API denial of service, Felix Huettner) rgw: sanitize r in s3 CORSConfiguration’s ExposeHeader (CVE-2021-3524: HTTP header injects via CORS in RGW, Sergey Bobrov, Casey Bodley) ** Also affects: cloud-archive Importance: Undecided Status: New ** Also affects: cloud-archive/ussuri Importance: Undecided Status: New ** Changed in: cloud-archive Status: New => Invalid ** Changed in: cloud-archive/ussuri Status: New => Triaged ** Changed in: cloud-archive/ussuri Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1929179 Title: [SRU] ceph 15.2.12 To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1929179/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs