UbuntuUpdates.org

Package "ceph-fuse"

Name: ceph-fuse

Description:

FUSE-based client for the Ceph distributed file system
Latest version: 17.2.7-0ubuntu0.22.04.2
Release: jammy (22.04)
Level: security
Repository: universe
Head package: ceph
Homepage: http://ceph.com/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "ceph-fuse"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "ceph-fuse" in Jammy

Repository Area Version
base universe 17.1.0-0ubuntu3
updates universe 17.2.9-0ubuntu0.22.04.1

Changelog

Version: 17.2.7-0ubuntu0.22.04.2 2025-01-06 17:07:22 UTC

  ceph (17.2.7-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Authentication bypass through unsupported JWT algorithm.
    - debian/patches/CVE-2024-48916.patch: Disallow unsupported JWT algorithms
      in src/rgw/rgw_rest_sts.cc.
    - CVE-2024-48916

 -- Hlib Korzhynskyy <email address hidden> Wed, 18 Dec 2024 11:18:59 -0330
Source diff to previous version
CVE-2024-48916 Authentication bypass in CEPH RadosGW

Version: 17.2.6-0ubuntu0.22.04.3 2024-01-29 12:10:25 UTC

  ceph (17.2.6-0ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Improper bucket validation in POST requests
    - debian/patches/CVE-2023-43040.patch: rgw: Fix bucket validation against POST policies
    - CVE-2023-43040

 -- Nick Galanis <email address hidden> Thu, 11 Jan 2024 12:26:46 +0000
Source diff to previous version
CVE-2023-43040 Improperly verified POST keys

Version: 17.2.5-0ubuntu0.22.04.3 2023-05-09 17:07:35 UTC

  ceph (17.2.5-0ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via ceph crash service
    - debian/patches/CVE-2022-3650-1.patch: re-add unused frame in
      handler() in src/ceph-crash.in.
    - debian/patches/CVE-2022-3650-2.patch: fix some flake8 issues in
      src/ceph-crash.in.
    - debian/patches/CVE-2022-3650-3.patch: fix stderr handling in
      src/ceph-crash.in.
    - debian/patches/CVE-2022-3650-4.patch: drop privleges to run as "ceph"
      user, rather than root in src/ceph-crash.in.
    - debian/patches/CVE-2022-3650-5.patch: chown crash files to ceph user
      in qa/workunits/rados/test_crash.sh.
    - debian/patches/CVE-2022-3650-6.patch: log warning if crash directory
      unreadable in src/ceph-crash.in.
    - CVE-2022-3650
  * This also fixes CVE-2022-0670 and CVE-2022-3854 in the -security
    pocket.

 -- Marc Deslauriers <email address hidden> Wed, 19 Apr 2023 18:59:11 -0400
CVE-2022-3650 A privilege escalation flaw was found in Ceph. Ceph-crash.service allows a local attacker to escalate privileges to root in the form of a crash dump,
CVE-2022-0670 A flaw was found in Openstack manilla owning a Ceph File system "share", which enables the owner to read/write any manilla share or entire file syste
CVE-2022-3854 A flaw was found in Ceph, relating to the URL processing on RGW backends. An attacker can exploit the URL processing by providing a null URL to crash


About   -   Send Feedback to @ubuntu_updates