-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 21 Oct 2023 16:42:26 +0000 Source: ceph Architecture: source Version: 12.2.11+dfsg1-2.1+deb10u1 Distribution: buster-security Urgency: medium Maintainer: Ceph Maintainers <ceph-maintainers@lists.ceph.com> Changed-By: Bastien Roucariès <rouca@debian.org> Closes: 1053690 Changes: ceph (12.2.11+dfsg1-2.1+deb10u1) buster-security; urgency=medium . * Non-maintainer upload by the LTS Security Team. . [ Stefano Rivera ] * Collection of minor security updates for Ceph. * CVE-2020-27781: Privilege Escalation: User credentials could be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even "admin" users, compromising the ceph administrator. * CVE-2021-20288: Potential Privilege Escalation: When handling CEPHX_GET_PRINCIPAL_SESSION_KEY requests, ignore CEPH_ENTITY_TYPE_AUTH in CephXServiceTicketRequest::keys. * CVE-2020-1760: XSS: A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input. * CVE-2020-25678: Information Disclosure: ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible. * CVE-2019-10222: Denial of service: An unauthenticated attacker could crash the Ceph RGW server by sending valid HTTP headers and terminating the connection, resulting in a remote denial of service for Ceph RGW clients. * CVE-2020-10753 and CVE-2021-3524: Header Injection: It was possible to inject HTTP headers via a CORS ExposeHeader tag in an Amazon S3 bucket. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. * CVE-2020-12059: Denial of Service: A POST request with an invalid tagging XML could crash the RGW process by triggering a NULL pointer exception. * CVE-2020-1700: Denial of Service: A flaw was found in the way the Ceph RGW Beast front-end handles unexpected disconnects. An authenticated attacker can abuse this flaw by making multiple disconnect attempts resulting in a permanent leak of a socket connection by radosgw. This flaw could lead to a denial of service condition by pile up of CLOSE_WAIT sockets, eventually leading to the exhaustion of available resources, preventing legitimate users from connecting to the system. * CVE-2021-3531: Denial of Service: When processing a GET Request in Ceph Storage RGW for a swift URL that ends with two slashes it could cause the rgw to crash, resulting in a denial of service. * CVE-2021-3979: Loss of Confidentiality: A key length flaw was found in Ceph Storage. An attacker could exploit the fact that the key length is incorrectly passed in an encryption algorithm to create a non random key, which is weaker and can be exploited for loss of confidentiality and integrity on encrypted disks. . [ Bastien Roucariès ] . * CVE-2023-43040: A flaw was found in Ceph RGW. An unprivileged user can write to any bucket(s) accessible by a given key if a POST's form-data contains a key called 'bucket' with a value matching the name of the bucket used to sign the request. The result of this is that a user could actually upload to any bucket accessible by the specified access key as long as the bucket in the POST policy matches the bucket in said POST form part. (Closes: #1053690) Checksums-Sha1: 07e972628b7eb2727b0a8569e79a5aa4314a19c5 5510 ceph_12.2.11+dfsg1-2.1+deb10u1.dsc 50362b51a08bfe5284f1be1911beb58bf0c3aa8f 54781136 ceph_12.2.11+dfsg1.orig.tar.xz 2d7d46a9ab8940073b423c87e2f7dd35ead4068c 400416 ceph_12.2.11+dfsg1-2.1+deb10u1.debian.tar.xz d2aa6418bfa1556d51bad6820bf162d90b496d8f 38170 ceph_12.2.11+dfsg1-2.1+deb10u1_amd64.buildinfo Checksums-Sha256: 4953a00fb85a2fae4fe585f71c4199302c450b33be1e05a57811d9950cefe6f2 5510 ceph_12.2.11+dfsg1-2.1+deb10u1.dsc 71f093b198481387a30067efd34948fb94dd2f967b543ce000277ab699afc75d 54781136 ceph_12.2.11+dfsg1.orig.tar.xz 049124e0b5d973603c4f37c09b6c017a73429cee6ba00f5955f11a68e9c9b490 400416 ceph_12.2.11+dfsg1-2.1+deb10u1.debian.tar.xz ddb18b7489e12da6cca1ef0b0b7d92b0017c967d8ac529fcf3bff4cc535f0f20 38170 ceph_12.2.11+dfsg1-2.1+deb10u1_amd64.buildinfo Files: 79bfe6287f00fb00fb5e1536cd687edf 5510 admin optional ceph_12.2.11+dfsg1-2.1+deb10u1.dsc e4caffbadf81a0b95b05d82dea2fd39a 54781136 admin optional ceph_12.2.11+dfsg1.orig.tar.xz 1e45c8eeffa4c0cf6b7a6f10c320ef13 400416 admin optional ceph_12.2.11+dfsg1-2.1+deb10u1.debian.tar.xz 67dbf7976aa3160296f32d1c3535022e 38170 admin optional ceph_12.2.11+dfsg1-2.1+deb10u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmU087YRHHJvdWNhQGRl Ymlhbi5vcmcACgkQADoaLapBCF97mQ//cZ921g/WSxiht6Nyc79Af26gCxFdSLQz AfrYx3fZGPmEq31N8EJe4pUKIm0d/XYle/xSO66g+AjBpwegRSK5oBL9wk21Ot0d +1uumZUqtXBYxfjwLmKbjRFoNbMkcyLzRfsfIfC4nmDgWFhsh8ouM3+roMTsLvmC kPj6GLr6v52CpwSwG+VLzGi37SG0ai7nnFhKP/ffjcIuMJlmOFxEE4UxAvuCa9ur Xi9Ez+/DsbZKpo4vGV9/whajHZlQY6iGBzdxs+DFsrHn1uetBU+VeI8dHML32mv3 XpqrKyAwgMGsLGnu+bsP/ggpKck/BdCFB3eO7jkd5hlDbyeHkYYYSlBnrgqynnUP M8nBo469+OHVaRnBbCG0MioCxyOVlZJy32Jf0xa+ODrliqZM6dOR+7EzxNxr0aqt unp5ST6V27nBSb4oMAnN80JRmpH4TvlgTwEshXpHDjc8RsUykK6Q3w9g/R9DCGAr wj/NYHEQkTlXe2rxV2lvQ5OEKD/0xV8cF2kswl1r5wko0n/3NxMIXbGHP6UAqBxQ h4oUvsYgo1SQ5dSDlp27EbA7CrlTD/NCNPLMoGIRlrZL7/W4eVy+uYEqHPwXx8ZN BrHITswvIYNMU1k5Nd1bx5Kb7UEuibhh+N2ufmlJTy0xb0AW2vX74jBKZzCQGfVW Vyr91CoKHEc= =Cm5X -----END PGP SIGNATURE-----