Debian Bug report logs -
#1024932
ceph-base: ceph to root privilege escalation via ceph-crash.service CVE-2022-3650
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Ceph Packaging Team <team+ceph@tracker.debian.org>
:
Bug#1024932
; Package ceph-base
.
(Sun, 27 Nov 2022 21:03:40 GMT) (full text, mbox, link).
Acknowledgement sent
to Helmut Grohne <helmut@subdivi.de>
:
New Bug report received and forwarded. Copy sent to Ceph Packaging Team <team+ceph@tracker.debian.org>
.
(Sun, 27 Nov 2022 21:03:40 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ceph-base
Version: 16.2.10+ds-3
Severity: serious
Tags: security
ceph-crash.service as shipped by ceph-base is vulnerable to
CVE-2022-3650, which is a privilege escalation from the ceph user to
root. Please refer to the notes from
https://security-tracker.debian.org/tracker/CVE-2022-3650 for more
details:
| https://www.openwall.com/lists/oss-security/2022/10/25/1
| https://tracker.ceph.com/issues/57967
| https://github.com/ceph/ceph/pull/48713
| https://github.com/ceph/ceph/commit/45915540559126a652f8d9d105723584cfc63439 (main)
| https://github.com/ceph/ceph/commit/130c9626598bc3a75942161e6cce7c664c447382 (main)
| Backport to Pacific: https://github.com/ceph/ceph/pull/48804
| Backport to Quincy: https://github.com/ceph/ceph/pull/48805
Helmut
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 28 Nov 2022 05:24:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Nov 28 07:13:16 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.