From ${URL} : Upstream reports: PCI scans have determined that the RGW is returning whatever string it thought was the name of the bucket requested as raw text in the Bucket response header, which we are using to be able to track request/response cycles by bucket. The result is that things like this are possible (note the extra Content-type header): <snip> $ curl -i "objects.dreamhost.com/nothing-to-see-here%22%0D%0AContent-type%3A%20%22image-jpg";echo HTTP/1.1 400 Bad Request Bucket: "nothing-to-see-here" Content-type: "image-jpg" Content-Length: 83 Accept-Ranges: bytes Content-type: application/xml Date: Mon, 27 Jul 2015 22:57:11 GMT <Error><Code>InvalidBucketName</Code></Error> </snip> This could be considerably worse. It is in fact trivial to make the RGW return invalid HTTP responses this way as well (the resulting response is from HAProxy rejecting the invalid response from the RGW, as it should): </snip> $ curl -i "objects.dreamhost.com/nothing-to-see-here%22%0D%0AContent-Length%3A%20%2282";echo HTTP/1.0 502 Bad Gateway Cache-Control: no-cache Connection: close Content-Type: text/html <html><body><h1>502 Bad Gateway</h1> The server returned an invalid or incomplete response. </body></html> </snip> The RGW needs to sanitize/clean-up the bucket name before including it in the bucket header, by encoding the data in a standard encoding so that it is impossible to do things like inserting new headers, data, etc.. that looks like meaningful parts of a real HTTP response. External reference: http://tracker.ceph.com/issues/12537 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
First release containing the fix is v0.94.4 which landed in Gentoo repository via https://gitweb.gentoo.org/repo/gentoo.git/commit/sys-cluster/ceph?id=ef6421a8136fcad8fa2f2b0947497d1b7a6f3be0 @ Maintainer(s): Please tell us if =sys-cluster/ceph-0.94.9 needs to be stabilized or not (looks like you only keep 0.94.x in tree to ease upgrades, see bug 587568).
Tree is clean. This looks like they do not stabilize 0.94.x @maintainer(s), if you want to stabilize please go through regular stabilization procedures.