Debian Bug report logs -
#1053690
ceph: CVE-2023-43040: Improperly verified POST keys
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Ceph Packaging Team <team+ceph@tracker.debian.org>:
Bug#1053690; Package src:ceph.
(Sun, 08 Oct 2023 20:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Ceph Packaging Team <team+ceph@tracker.debian.org>.
(Sun, 08 Oct 2023 20:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ceph
Version: 16.2.11+ds-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/ceph/ceph/pull/53714
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for ceph.
CVE-2023-43040[0]:
| Improperly verified POST keys
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-43040
https://www.cve.org/CVERecord?id=CVE-2023-43040
[1] https://www.openwall.com/lists/oss-security/2023/09/26/10
[2] https://github.com/ceph/ceph/pull/53714
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#1053690.
(Mon, 09 Oct 2023 08:42:03 GMT) (full text, mbox, link).
Message #10 received at 1053690-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1053690 in ceph reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/ceph-team/ceph/-/commit/26116caa53ec2f1d04801a96e07f62778ef13c58
------------------------------------------------------------------------
* CVE-2023-43040: security issue with RGW with improperly verified POST keys.
Applied upstream fix: rgw: Fix bucket validation against POST policies
(Closes: #1053690).
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1053690
Added tag(s) pending.
Request was from Thomas Goirand <zigo@debian.org>
to 1053690-submitter@bugs.debian.org.
(Mon, 09 Oct 2023 08:42:03 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Mon, 09 Oct 2023 09:12:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 09 Oct 2023 09:12:08 GMT) (full text, mbox, link).
Message #17 received at 1053690-close@bugs.debian.org (full text, mbox, reply):
Source: ceph
Source-Version: 16.2.11+ds-5
Done: Thomas Goirand <zigo@debian.org>
We believe that the bug you reported is fixed in the latest version of
ceph, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1053690@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ceph package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 09 Oct 2023 08:53:31 +0200
Source: ceph
Architecture: source
Version: 16.2.11+ds-5
Distribution: unstable
Urgency: high
Maintainer: Ceph Packaging Team <team+ceph@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1053690
Changes:
ceph (16.2.11+ds-5) unstable; urgency=high
.
* CVE-2023-43040: security issue with RGW with improperly verified POST keys.
Applied upstream fix: rgw: Fix bucket validation against POST policies
(Closes: #1053690).
Checksums-Sha1:
8fad28792097a13f939fb90b683140053e5e89c3 8082 ceph_16.2.11+ds-5.dsc
6e66532749768cec71eef00574f916a1ce53f7ed 122088 ceph_16.2.11+ds-5.debian.tar.xz
7efa0d140a4698bab6a6c7078c32608e161d461e 42412 ceph_16.2.11+ds-5_amd64.buildinfo
Checksums-Sha256:
f6f298352f777aa5e8c9803d8ec9846fcc3610a63b8c7a0765d980717f9afef6 8082 ceph_16.2.11+ds-5.dsc
7b7b4ae28430cbad958b74b7faf266b7897892200ec6f1e7a758adee40572539 122088 ceph_16.2.11+ds-5.debian.tar.xz
47ed629b74ccb8b4db31a19cb1bcbdc483887dafd65cd9d8d4e41142695344e4 42412 ceph_16.2.11+ds-5_amd64.buildinfo
Files:
79f7ed1dbfb99b68622f8a87f1e562f2 8082 admin optional ceph_16.2.11+ds-5.dsc
876a320457200e1bd3ffe78f4e4360a4 122088 admin optional ceph_16.2.11+ds-5.debian.tar.xz
c7fe4c2733db06d1569fc98571a9a303 42412 admin optional ceph_16.2.11+ds-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmUjvFsACgkQ1BatFaxr
Q/5pSQ/7BOOHGv0clxylUJ009s5ApM01tDzojBK15UsFqB5dsDsTG6pd+1mtAP+E
a6q7wC3mP4X1xxh5nN+EHagPIigew4k5xDg6DV/BsP/DSJ/fx9pLCZhj0e9bFXFS
lR+CvSJosJVxRBiAcevzAJE9y3+SA0Q8Zck2yciKbc+4J1RHWCBn2vrMwUHjF9CG
WtLSwOmeZqQV30W7MxLDUsgGWjon4cuxoY0T9PkcuJpSNhK9SNed1fSLIy0TEWDQ
gAgu9xoqd1pMbFGWMcpHrg0ZwgbhXyScByGOjYss18NM41BQju2o6TCsG4MVKm/1
ama/Xl5A/hHV8HB3qK4phGpo08yKZ8KMrqrDGnAMvdOw6c/oczqwJ4K4wltNXcoL
39Wke6FkzkT5iyVhdIWFO/G767YVQEA7X0l7xev2hAfhP4knoAC6jOFldhPwMvjf
d3Sie3K+n7SKDJdBhNgvsBWNVP+dcZWrrjNB9+WWqpO5kjzqOcGIJTU5BwvhI0/r
kiVPLrh428U1hf6svI5kw0a7yu9VaPzbNkpzrILU11cdl58fDkOQU8TW2HdzSShY
4OzEwKiqt9fXLr8el6iy+w4A3tJWh7adBph4I211JcHGIUwVjM9EAobypCulMANe
nuNzNZLOyUOwr/SkszZ0zOk1UcaPbHPNI4UNWnH+OG8eUnRAS/4=
=xzNI
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Ceph Packaging Team <team+ceph@tracker.debian.org>:
Bug#1053690; Package src:ceph.
(Mon, 09 Oct 2023 15:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
Extra info received and forwarded to list. Copy sent to Ceph Packaging Team <team+ceph@tracker.debian.org>.
(Mon, 09 Oct 2023 15:57:03 GMT) (full text, mbox, link).
Message #22 received at 1053690@bugs.debian.org (full text, mbox, reply):
On 10/8/23 21:58, Salvatore Bonaccorso wrote:
> Source: ceph
> Version: 16.2.11+ds-4
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/ceph/ceph/pull/53714
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>
> Hi,
>
> The following vulnerability was published for ceph.
>
> CVE-2023-43040[0]:
> | Improperly verified POST keys
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2023-43040
> https://www.cve.org/CVERecord?id=CVE-2023-43040
> [1] https://www.openwall.com/lists/oss-security/2023/09/26/10
> [2] https://github.com/ceph/ceph/pull/53714
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
Hi Salvatore,
Do you think this deserves a DSA, or should I deal with the stable
release team?
FYI, Sid is fixed, and I built already the update for bookworm (but
didn't upload as I need your input as per above).
Cheers,
Thomas Goirand (zigo)
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Oct 9 17:53:02 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon