From ${URL} : Flaw was found using which attacker can send post object with null conditions to ceph rados gateway which would lead to crash of ceph-radosgw service resulting Denial of Service. http://tracker.ceph.com/issues/17635 https://bugzilla.redhat.com/show_bug.cgi?id=1387332 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
ceph-10.2.3-r1 added with upstream patch for this. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a0cecccd4cde2ac81dd8a2409467dcc291133b5 It is unclear to me if this affects hammer (ceph-0.9*) or not.
I am fine with stabilizing ceph-10.2.3-r1, ceph-9* is no longer supported upstream
@ Arches, please stabilize =sys-cluster/ceph-10.2.3-r2
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Please clean vulnerable versions from tree.
GLSA Vote: No @maintainer(s), please clean the vulnerable versions or place a security mask on them. Once done we can close this.
Cleanup PR: https://github.com/gentoo/gentoo/pull/3394
@maintainer(s), may we merge this PR or can you?
commit e994b8d5f66c45bc0af44dfc86c7c96580557cdb Author: Yixun Lan <dlan@gentoo.org> Date: Mon Jan 16 12:18:53 2017 +0800 sys-cluster/ceph: fix "RGW Denial of Service" security bug reasons for why p.mask them instead of removing: ceph has kind of picky upgrade path for new versions. for example, users want an online upgrade to 10.x while they are still using old version (<0.94.x), need to upgrade to 0.94.x/9.x first, then upgrade 10.x http://docs.ceph.com/docs/master/release-notes/ search: Upgrading from Firefly Closes: https://github.com/gentoo/gentoo/pull/3394 Gentoo-Bug: 598206 Signed-off-by: Yixun Lan <dlan@gentoo.org> :100644 100644 cb176eb7ee... 944e75c266... M profiles/package.mask https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e994b8d5f66c45bc0af44dfc86c7c96580557cdb
(In reply to Yixun Lan from comment #10) > commit e994b8d5f66c45bc0af44dfc86c7c96580557cdb > Author: Yixun Lan <dlan@gentoo.org> > Date: Mon Jan 16 12:18:53 2017 +0800 > > sys-cluster/ceph: fix "RGW Denial of Service" security bug > > reasons for why p.mask them instead of removing: > > ceph has kind of picky upgrade path for new versions. > for example, users want an online upgrade to 10.x while they are still > using > old version (<0.94.x), need to upgrade to 0.94.x/9.x first, then upgrade > 10.x > > http://docs.ceph.com/docs/master/release-notes/ > search: Upgrading from Firefly > > Closes: https://github.com/gentoo/gentoo/pull/3394 > > Gentoo-Bug: 598206 > > Signed-off-by: Yixun Lan <dlan@gentoo.org> > > :100644 100644 cb176eb7ee... 944e75c266... M profiles/package.mask > > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=e994b8d5f66c45bc0af44dfc86c7c96580557cdb Do you think cleanup can proceed at this point?
Tree is clean.