[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-25678, CVE-2021-20288, ceph as no-dsa for Stretch
Markus Koschany (@apo)
apo at debian.org
Wed Aug 11 14:24:24 BST 2021
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
da6b1dfb by Markus Koschany at 2021-08-11T15:24:11+02:00
Mark CVE-2020-25678, CVE-2021-20288, ceph as no-dsa for Stretch
and postpone CVE-2020-27781
CVE-2021-20288
The fix is to implement a new option to disallow unauthorized global_id reuse and to make
a distinction between legacy clients and new clients. The risks are too high in this case
to break setups which rely on the current behavior. For legacy clients like the
ones in Jessie the default behavior will be permissive for the foreseeable
future hence there is no need to implement a possibly disruptive change.
CVE-2020-25678
Sensitive information are only visible in debug mode.
A simple workaround would be to make the log files not world-readable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -44929,6 +44929,7 @@ CVE-2021-20289 (A flaw was found in RESTEasy in all versions of RESTEasy up to 4
CVE-2021-20288 (An authentication flaw was found in ceph in versions before 14.2.20. W ...)
- ceph 14.2.20-1 (bug #986974)
[buster] - ceph <no-dsa> (Minor issue)
+ [stretch] - ceph <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/04/14/2
NOTE: https://github.com/ceph/ceph/commit/059eabcc0ada81078a898cdc25cf72bf3d506ad0
NOTE: https://github.com/ceph/ceph/commit/05b3b6a305ddbb56cc53bbeadf5866db4d785f49
@@ -56280,6 +56281,7 @@ CVE-2020-27782 (A flaw was found in the Undertow AJP connector. Malicious reques
CVE-2020-27781 (User credentials can be manipulated and stolen by Native CephFS consum ...)
- ceph 14.2.16-1 (bug #985670)
[buster] - ceph <no-dsa> (Minor issue)
+ [stretch] - ceph <postponed> (Minor issue)
NOTE: https://bugs.launchpad.net/manila/+bug/1904015
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1900109
NOTE: https://github.com/ceph/ceph/commit/1b8a634fdcd94dfb3ba650793fb1b6d09af65e05 (octopus)
@@ -61826,6 +61828,7 @@ CVE-2020-25679
CVE-2020-25678 (A flaw was found in ceph in versions prior to 16.y.z where ceph stores ...)
- ceph 14.2.18-1
[buster] - ceph <no-dsa> (Minor issue)
+ [stretch] - ceph <no-dsa> (Minor issue)
NOTE: https://tracker.ceph.com/issues/37503
NOTE: https://github.com/ceph/ceph/pull/38614 (v14.2.17)
CVE-2020-25677 (A flaw was found in Ceph-ansible v4.0.41 where it creates an /etc/ceph ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da6b1dfbb9bd265a043ac20df4d21e0f7da5f205
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da6b1dfbb9bd265a043ac20df4d21e0f7da5f205
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210811/d6d09947/attachment.htm>
More information about the debian-security-tracker-commits
mailing list