Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 710746 (CVE-2020-1699)

Summary: <sys-cluster/ceph-14.2.5: improper URL checking leads to information disclosure (CVE-2020-1699)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: chutzpah, cluster, dlan
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://tracker.ceph.com/issues/41320
Whiteboard: B4 [noglsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2020-02-25 00:38:25 UTC 
CVE-2020-1699 (https://nvd.nist.gov/vuln/detail/CVE-2020-1699):
  improper URL checking leads to information disclosure
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-13 23:23:36 UTC 
PR (patches): https://github.com/ceph/ceph/pull/30445

Earliest upstream release fixed: 15.1.0
Comment 2 Patrick McLean gentoo-dev 2020-03-13 23:45:23 UTC 
15.1.0 is an alpha release, we cannot pull that in.

We should wait for a backport in to the 14.2 series.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-13 23:50:35 UTC 
(In reply to Patrick McLean from comment #2)
> 15.1.0 is an alpha release, we cannot pull that in.
> 
> We should wait for a backport in to the 14.2 series.

Sorry for the confusion, there is a backport to Nautilus which I believe is the stable series 14.2.x:

https://github.com/ceph/ceph/pull/31413

It is included in 14.2.5 (https://tracker.ceph.com/issues/41980).
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2020-04-16 07:10:42 UTC 
14.2.5 Not in tree. 14.2.7 is current stable version.
GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].