[Git][security-tracker-team/security-tracker][master] Reserve DLA-3629-1 for ceph

Mon Oct 23 17:42:43 BST 2023


Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker


Commits:
35ee1912 by Bastien Roucariès at 2023-10-23T16:42:16+00:00
Reserve DLA-3629-1 for ceph

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -138309,7 +138309,6 @@ CVE-2021-3980 (elgg is vulnerable to Exposure of Private Personal Information to
 CVE-2021-3979 (A key length flaw was found in Red Hat Ceph Storage. An attacker can e ...)
 	- ceph 16.2.9+ds-1
 	[bullseye] - ceph <no-dsa> (Minor issue)
-	[buster] - ceph <no-dsa> (Minor issue)
 	[stretch] - ceph <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/01/11/5
 	NOTE: https://tracker.ceph.com/issues/54006
@@ -172780,7 +172779,6 @@ CVE-2021-3532 (A flaw was found in Ansible where the secret information present
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1956464
 CVE-2021-3531 (A flaw was found in the Red Hat Ceph Storage RGW in versions before 14 ...)
 	- ceph 14.2.21-1 (bug #988890)
-	[buster] - ceph <no-dsa> (Minor issue)
 	[stretch] - ceph <not-affected> (Vulnerable code introduced later)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/05/14/5
 	NOTE: Nautilus: https://github.com/ceph/ceph/commit/f44a8ae8aa27ecef69528db9aec220f12492810e
@@ -172997,7 +172995,6 @@ CVE-2021-3525
 CVE-2021-3524 (A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gate ...)
 	{DLA-2735-1}
 	- ceph 14.2.21-1 (bug #988889)
-	[buster] - ceph <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1951674
 	NOTE: Fixed by: https://github.com/ceph/ceph/commit/763aebb94678018f89427137ffbc0c5205b1edc1
 CVE-2021-3523 (A flaw was found in 3Scale APICast in versions prior to 2.11.0, where  ...)
@@ -203748,7 +203745,6 @@ CVE-2021-20289 (A flaw was found in RESTEasy in all versions of RESTEasy up to 4
 	NOT-FOR-US: Keycloak
 CVE-2021-20288 (An authentication flaw was found in ceph in versions before 14.2.20. W ...)
 	- ceph 14.2.20-1 (bug #986974)
-	[buster] - ceph <no-dsa> (Minor issue)
 	[stretch] - ceph <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/04/14/2
 	NOTE: https://github.com/ceph/ceph/commit/059eabcc0ada81078a898cdc25cf72bf3d506ad0
@@ -215387,7 +215383,6 @@ CVE-2020-27782 (A flaw was found in the Undertow AJP connector. Malicious reques
 	NOTE: https://github.com/undertow-io/undertow/commit/fdac349cbcd1da41fe8b9d4e7ebbab6879990c2a (2.2.4.Final)
 CVE-2020-27781 (User credentials can be manipulated and stolen by Native CephFS consum ...)
 	- ceph 14.2.16-1 (bug #985670)
-	[buster] - ceph <no-dsa> (Minor issue)
 	[stretch] - ceph <postponed> (Minor issue)
 	NOTE: https://bugs.launchpad.net/manila/+bug/1904015
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1900109
@@ -221052,7 +221047,6 @@ CVE-2020-25679
 	REJECTED
 CVE-2020-25678 (A flaw was found in ceph in versions prior to 16.y.z where ceph stores ...)
 	- ceph 14.2.18-1
-	[buster] - ceph <no-dsa> (Minor issue)
 	[stretch] - ceph <no-dsa> (Minor issue)
 	NOTE: https://tracker.ceph.com/issues/37503
 	NOTE: https://github.com/ceph/ceph/pull/38614 (v14.2.17)
@@ -253338,7 +253332,6 @@ CVE-2020-12060
 	RESERVED
 CVE-2020-12059 (An issue was discovered in Ceph through 13.2.9. A POST request with an ...)
 	- ceph 14.2.4-1
-	[buster] - ceph <no-dsa> (Minor issue)
 	[stretch] - ceph <not-affected> (Vulnerable code introduced later)
 	[jessie] - ceph <not-affected> (Vulnerable code introduced later)
 	NOTE: https://tracker.ceph.com/issues/44967
@@ -258267,7 +258260,6 @@ CVE-2020-10754 (It was found that nmcli, a command line interface to NetworkMana
 CVE-2020-10753 (A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gate ...)
 	{DLA-2735-1}
 	- ceph 14.2.15-1 (bug #975300)
-	[buster] - ceph <no-dsa> (Minor issue)
 	[jessie] - ceph <no-dsa> (Minor issue)
 	NOTE: https://github.com/ceph/ceph/pull/35773
 	NOTE: Fix: https://github.com/ceph/ceph/commit/1524d3c0c5cb11775313ea1e2bb36a93257947f2
@@ -282519,7 +282511,6 @@ CVE-2020-1761 (A flaw was found in the OpenShift web console, where the access t
 CVE-2020-1760 (A flaw was found in the Ceph Object Gateway, where it supports request ...)
 	{DLA-2735-1 DLA-2171-1}
 	- ceph 14.2.9-1 (bug #956142)
-	[buster] - ceph <no-dsa> (Minor issue)
 	NOTE: Introduced with: https://github.com/ceph/ceph-ci/commit/f4a0b2d9260a4523745875e3977a8a1ef9dc5e2e
 	NOTE: Fixed by: https://github.com/ceph/ceph-ci/commit/8aa1f77363ec32bdc57744a143035033291ab5e1
 	NOTE: Fixed by: https://github.com/ceph/ceph-ci/commit/18eb4d918b27d362312c29a3bbd57a421897c0a5
@@ -282783,7 +282774,6 @@ CVE-2020-1701 (A flaw was found in the KubeVirt main virt-handler versions befor
 	NOT-FOR-US: KubeVirt
 CVE-2020-1700 (A flaw was found in the way the Ceph RGW Beast front-end handles unexp ...)
 	- ceph 14.2.7-1
-	[buster] - ceph <no-dsa> (Minor issue)
 	[stretch] - ceph <not-affected> (Vulnerable code introduced later)
 	[jessie] - ceph <not-affected> (Vulnerable code introduced later)
 	NOTE: https://tracker.ceph.com/issues/42531
@@ -313730,7 +313720,6 @@ CVE-2019-10223 (A security issue was discovered in the kube-state-metrics versio
 	NOT-FOR-US: kube-state-metrics
 CVE-2019-10222 (A flaw was found in the Ceph RGW configuration with Beast as the front ...)
 	- ceph 14.2.4-1 (bug #936015)
-	[buster] - ceph <no-dsa> (Minor issue; only triggerable if experimental feature enabled)
 	[stretch] - ceph <not-affected> (Vulnerable code not present)
 	[jessie] - ceph <not-affected> (Vulnerable code not present)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/08/28/9


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[23 Oct 2023] DLA-3629-1 ceph - security update
+	{CVE-2019-10222 CVE-2020-1700 CVE-2020-1760 CVE-2020-10753 CVE-2020-12059 CVE-2020-25678 CVE-2020-27781 CVE-2021-3524 CVE-2021-3531 CVE-2021-3979 CVE-2021-20288 CVE-2023-43040}
+	[buster] - ceph 12.2.11+dfsg1-2.1+deb10u1
 [23 Oct 2023] DLA-3628-1 dbus - security update
 	{CVE-2023-34969}
 	[buster] - dbus 1.12.28-0+deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -40,10 +40,6 @@ cairosvg
   NOTE: 20230323: Added by Front-Desk (gladk)
   NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive)
 --
-ceph (rouca)
-  NOTE: 20231013: Added by Front-Desk (ta)
-  NOTE: 20231021: Patch fixing CVE-2023-43040 seems to make testsuite fail
---
 cinder
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35ee1912a57e9b70f5827baf9f5b247c5c6222f0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35ee1912a57e9b70f5827baf9f5b247c5c6222f0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231023/7846b142/attachment-0001.htm>
