UbuntuUpdates.org

Package "ceph-mgr"

Name: ceph-mgr

Description:

manager for the ceph distributed file system

Latest version: 15.2.17-0ubuntu0.20.04.6
Release: focal (20.04)
Level: security
Repository: main
Head package: ceph
Homepage: http://ceph.com/

Links


Download "ceph-mgr"


Other versions of "ceph-mgr" in Focal

Repository Area Version
base main 15.2.1-0ubuntu1
updates main 15.2.17-0ubuntu0.20.04.6

Changelog

Version: 15.2.17-0ubuntu0.20.04.6 2024-01-29 12:10:21 UTC

  ceph (15.2.17-0ubuntu0.20.04.6) focal-security; urgency=medium

  * SECURITY UPDATE: Improper bucket validation in POST requests
    - debian/patches/CVE-2023-43040.patch: rgw: Fix bucket validation against POST policies
    - CVE-2023-43040

 -- Nick Galanis <email address hidden> Thu, 11 Jan 2024 12:26:21 +0000

Source diff to previous version
CVE-2023-43040 Improperly verified POST keys

Version: 15.2.17-0ubuntu0.20.04.3 2023-05-09 22:07:08 UTC

  ceph (15.2.17-0ubuntu0.20.04.3) focal-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via ceph crash service
    - debian/patches/CVE-2022-3650-2.patch: fix some flake8 issues in
      src/ceph-crash.in.
    - debian/patches/CVE-2022-3650-3.patch: fix stderr handling in
      src/ceph-crash.in.
    - debian/patches/CVE-2022-3650-4.patch: drop privleges to run as "ceph"
      user, rather than root in src/ceph-crash.in.
    - debian/patches/CVE-2022-3650-5.patch: chown crash files to ceph user
      in qa/workunits/rados/test_crash.sh.
    - debian/patches/CVE-2022-3650-6.patch: log warning if crash directory
      unreadable in src/ceph-crash.in.
    - CVE-2022-3650
  * This also fixes CVE-2021-3979 and CVE-2022-0670 in the -security
    pocket.

 -- Marc Deslauriers <email address hidden> Wed, 19 Apr 2023 19:05:07 -0400

Source diff to previous version
CVE-2022-3650 A privilege escalation flaw was found in Ceph. Ceph-crash.service allows a local attacker to escalate privileges to root in the form of a crash dump,
CVE-2021-3979 A key length flaw was found in Red Hat Ceph Storage. An attacker can exploit the fact that the key length is incorrectly passed in an encryption algo
CVE-2022-0670 A flaw was found in Openstack manilla owning a Ceph File system "share", which enables the owner to read/write any manilla share or entire file syste

Version: 15.2.12-0ubuntu0.20.04.1 2021-06-25 01:06:20 UTC

  ceph (15.2.12-0ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: New upstream release (LP: #1929179):
    - CVE-2021-3509: Dashboard XSS via token cookie.
    - CVE-2021-3531: Swift API denial of service.
    - CVE-2021-3531: HTTP header injects via CORS in RGW.

 -- James Page <email address hidden> Mon, 24 May 2021 16:07:20 +0100

Source diff to previous version
1929179 [SRU] ceph 15.2.12
CVE-2021-3509 A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to a
CVE-2021-3531 A flaw was found in the Red Hat Ceph Storage RGW in versions before 14.2.21. When processing a GET Request for a swift URL that ends with two slashes

Version: 15.2.7-0ubuntu0.20.04.2 2021-01-27 16:06:20 UTC

  ceph (15.2.7-0ubuntu0.20.04.2) focal-security; urgency=medium

  * No-change rebuild in security pocket.
  * SECURITY UPDATE: Authorization bypass vulnerability
    - CVE-2020-10736
    - CVE-2020-25660
  * SECURITY UPDATE: Code injection vulnerability
    - CVE-2020-10753

 -- Paulo Flabiano Smorigo <email address hidden> Wed, 20 Jan 2021 19:09:07 +0000

CVE-2020-10736 An authorization bypass vulnerability was found in Ceph versions 15.2.0 before 15.2.2, where the ceph-mon and ceph-mgr daemons do not properly restri
CVE-2020-25660 A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly a
CVE-2020-10753 A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS



About   -   Send Feedback to @ubuntu_updates