Summary: | <sys-cluster/ceph-14.2.0: Possible crash in RGW process via invalid XML in POST (CVE-2020-12059) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ajak, chutzpah, cluster, dlan |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Sam James
2020-04-23 02:34:36 UTC
Upstream issue says Nautilus+ (>=14.x?) is unaffected. https://tracker.ceph.com/issues/44967#note-7 If 12.x was affected, then cleanup was done here: commit 5fa3176d02695d7dd7074f4d89df9f89990de333 Author: Patrick McLean <patrick.mclean@sony.com> Date: Wed Nov 18 23:29:05 2020 -0800 sys-cluster/ceph: remove old Copyright: Sony Interactive Entertainment Inc. Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> delete mode 100644 sys-cluster/ceph/ceph-12.2.12-r3.ebuild Since 14.x is unaffected, the earliest 14.x version we had looks to be 14.2.0 so that will go in summary. Needs GLSA vote. GLSA Vote: No Repository is clean, all done! |