3 security issues in stretch

package:
ceph
severity:
high
created:
2019-01-11
last updated:
2019-03-01

There are 3 open security issues in stretch.
2 important issues:
  • CVE-2018-14662: It was found Ceph versions before 13.2.4 that authenticated ceph users with read only permissions could steal dm-crypt encryption keys used in ceph disk encryption.
  • CVE-2018-16846: It was found in Ceph versions before 13.2.4 that authenticated ceph RGW users can cause a denial of service against OMAPs holding bucket indices.
1 issue skipped by the security teams:
  • CVE-2018-16889: Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable.
Please fix them.