ceph: CVE-2020-1699: improper URL checking might expose sensitive information

Debian Bug report logs - #949206
ceph: CVE-2020-1699: improper URL checking might expose sensitive information

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ceph: CVE-2020-1699: improper URL checking might expose sensitive information

Date: Sat, 18 Jan 2020 08:46:39 +0100

Source: ceph
Version: 14.2.6-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://tracker.ceph.com/issues/41320
Control: found -1 14.2.6-2

Hi,

The following vulnerability was published for ceph.

CVE-2020-1699[0]:
| improper URL checking leads to information disclosure

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-1699
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1699
[1] https://tracker.ceph.com/issues/41320
[2] https://github.com/ceph/ceph/commit/0443e40c11280ba3b7efcba61522afa70c4f8158

Regards,
Salvatore

Message #12 received at 949206@bugs.debian.org (full text, mbox, reply):

From: Bernd Zeimetz <bernd@bzed.de>

To: Salvatore Bonaccorso <carnil@debian.org>, 949206@bugs.debian.org

Subject: Re: Bug#949206: ceph: CVE-2020-1699: improper URL checking might expose sensitive information

Date: Sat, 18 Jan 2020 11:35:27 +0100

Hi Salvatore,


seems there are two issues mixed here...

On 1/18/20 8:46 AM, Salvatore Bonaccorso wrote:

> Forwarded: https://tracker.ceph.com/issues/41320

-> user+password end up in log files
-> https://github.com/ceph/ceph/pull/30445


and

> CVE-2020-1699[0]:
https://github.com/ceph/ceph/commit/0443e40c11280ba3b7efcba61522afa70c4f8158

which points to https://tracker.ceph.com/issues/43607 - but that bug
doesn't seem to be public.



The combination of both is the interesting part as (not tested) I guess
you can retrieve the log with the logged user/password via the buggy web
server.


I'd guess that upstream releases 14.2.7 really soon, if not I'll patch
the current version and upload it.


Thanks,

Bernd


-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

Message #15 received at 949206-submitter@bugs.debian.org (full text, mbox, reply):

From: Bernd Zeimetz <noreply@salsa.debian.org>

To: 949206-submitter@bugs.debian.org

Subject: Bug#949206 marked as pending in ceph

Date: Sat, 18 Jan 2020 18:16:51 +0000

Control: tag -1 pending

Hello,

Bug #949206 in ceph reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/ceph-team/ceph/commit/1bac6f097b7dafba955d3dcbce1c550f4bd7a229

------------------------------------------------------------------------
mgr/dashboard: fix improper URL checking

This change disables up-level references beyond the HTTP base directory.
[CVE-2020-1699]
Upstream commit 0443e40c11280ba3b7efcba61522afa70c4f8158

Closes: #949206
Thanks: Salvatore Bonaccorso
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/949206

Message #20 received at 949206-submitter@bugs.debian.org (full text, mbox, reply):

From: Bernd Zeimetz <noreply@salsa.debian.org>

To: 949206-submitter@bugs.debian.org

Subject: Bug#949206 marked as pending in ceph

Date: Sat, 18 Jan 2020 18:31:52 +0000

Control: tag -1 pending

Hello,

Bug #949206 in ceph reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/ceph-team/ceph/commit/8aab3cc0ef8ff2d823b00f959f2527f4bea7dfda

------------------------------------------------------------------------
mgr/dashboard: fix improper URL checking

This change disables up-level references beyond the HTTP base directory.
[CVE-2020-1699]
Upstream commit 0443e40c11280ba3b7efcba61522afa70c4f8158

Closes: #949206
Thanks: Salvatore Bonaccorso
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/949206

Message #25 received at 949206-close@bugs.debian.org (full text, mbox, reply):

From: Bernd Zeimetz <bzed@debian.org>

To: 949206-close@bugs.debian.org

Subject: Bug#949206: fixed in ceph 14.2.6-3

Date: Sat, 18 Jan 2020 18:39:31 +0000

Source: ceph
Source-Version: 14.2.6-3

We believe that the bug you reported is fixed in the latest version of
ceph, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 949206@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernd Zeimetz <bzed@debian.org> (supplier of updated ceph package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 18 Jan 2020 19:11:22 +0100
Source: ceph
Architecture: source
Version: 14.2.6-3
Distribution: experimental
Urgency: high
Maintainer: Ceph Packaging Team <team+ceph@tracker.debian.org>
Changed-By: Bernd Zeimetz <bzed@debian.org>
Closes: 948722 949206
Changes:
 ceph (14.2.6-3) experimental; urgency=high
 .
   * Uploading to unstable, including changes to make ceph
     build on mipsel again (Closes: #948722).
   * [1bac6f0] mgr/dashboard: fix improper URL checking.
     This change disables up-level references beyond the HTTP base directory.
     [CVE-2020-1699]
     Upstream commit 0443e40c11280ba3b7efcba61522afa70c4f8158
     Thanks to Salvatore Bonaccorso (Closes: #949206)
   * [720ce76] Updating changelog (from experimental)
Checksums-Sha1:
 6379a5f7a9edea93fed5b97c628858a2b83c0b53 8690 ceph_14.2.6-3.dsc
 4c35305ebe2d1a4663ca4c3671e3f07588ad0564 108836 ceph_14.2.6-3.debian.tar.xz
 e40fccb8240d0052a018fdf1ca8766e3c5dcf58e 19604 ceph_14.2.6-3_source.buildinfo
Checksums-Sha256:
 9ae563adbc7d7790c8f34d766b4498c6a558e7e963a3dcbb3bb558fac1aa8030 8690 ceph_14.2.6-3.dsc
 e9b3194cbf69f5ce69b59f54d2c5e858518dc1bfd3512de795c559586462eb73 108836 ceph_14.2.6-3.debian.tar.xz
 59c3fd7bc52ef3fa56a4c01d635a7cf1b983f00b41e61273488c1f5530322b2d 19604 ceph_14.2.6-3_source.buildinfo
Files:
 75016abf3bbc9479d3a1b4785eff359b 8690 admin optional ceph_14.2.6-3.dsc
 ca1e1d3d7a73d8ff5dd165cff79a0cb0 108836 admin optional ceph_14.2.6-3.debian.tar.xz
 797ea44c4eb1229c40edf08de0847462 19604 admin optional ceph_14.2.6-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE7KHj8o4RJDLUhd2V6zYXGm/5Q18FAl4jS2IACgkQ6zYXGm/5
Q19OpxAApj2h9Cgd8wtJUOJh7l3p9eUJffaZdfMe+tYnCmX80YZVdmvxBZXJKNNH
gBilHJusZf3SazHWojVVnzNqFQmU3eij7dxkhE2k2T9amrEtNWqjDTRHNraVtWqU
BZUPq923iLpPF+tl1MPk9IvpSG/IIX2MBccb5AhNGWtwgBFowDts0TwJd4b3822g
2CuvP2rUVmQoSggeEGFcfkxZErEdJGhQXhyqCfxiiOfmdbBjCl1h4aA2QB8VFbI2
++PbawRH+Bhk3LXL4BxW8AyMjA5jIisc+4RHv1t8WogOoRygJAV4rgJLBCPiX1x4
o+E7kNoV6Evqji1UNBYiZbIMs1G9T6zvsx5G3NVLRnhOYv6m89wLI2QNpqhhKzcP
C5RkG0sC7attVh4YHrf+/rUaz6W3lJpzY/crw6U3voAkkp27t288pUulpvEjCUy3
Kk08eV9o1OogrRbrSNGmL0XDIDts1DIiLjlIbPgyPo2usKuPzEK0p4EcgRtNG15J
2CpJBb4+DthbyOKH78FZQA8QFz6UC+v6fz8W/3jNSWzQxKPMs2CJHmRc0fLxeWsm
bkyRYcA4YN8hF2EQHCWNRsovX/JeW+8Mjoxonic7Upb7PO/aVRhlWNYtsbUi0vzt
zN+GTrlrtX07+0mgnHs/FQl3Gol7mwgxs66jGrzwbShpImCAZKg=
=YGV+
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.