Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 598206 (CVE-2016-8626) - <sys-cluster/ceph-10.2.3-r1: RGW Denial of Service by sending POST object with null conditions
Summary: <sys-cluster/ceph-10.2.3-r1: RGW Denial of Service by sending POST object wit...
Status: RESOLVED FIXED
Alias: CVE-2016-8626
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-27 08:17 UTC by Agostino Sarubbo
Modified: 2018-01-20 15:54 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-10-27 08:17:30 UTC
From ${URL} :

Flaw was found using which attacker can send post object with null conditions
to ceph rados gateway which would lead to crash of ceph-radosgw service resulting
Denial of Service.

http://tracker.ceph.com/issues/17635
https://bugzilla.redhat.com/show_bug.cgi?id=1387332


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Patrick McLean gentoo-dev 2016-10-27 21:47:22 UTC
ceph-10.2.3-r1 added with upstream patch for this.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a0cecccd4cde2ac81dd8a2409467dcc291133b5

It is unclear to me if this affects hammer (ceph-0.9*) or not.
Comment 2 Patrick McLean gentoo-dev 2016-10-27 21:48:00 UTC
I am fine with stabilizing ceph-10.2.3-r1, ceph-9* is no longer supported upstream
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-19 15:53:17 UTC
@ Arches,

please stabilize =sys-cluster/ceph-10.2.3-r2
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-20 13:05:58 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-11-20 13:09:19 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-12-27 09:16:45 UTC
Please clean vulnerable versions from tree.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2017-01-02 07:28:35 UTC
GLSA Vote: No

@maintainer(s), please clean the vulnerable versions or place a security mask on them.  Once done we can close this.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-08 23:16:26 UTC
Cleanup PR: https://github.com/gentoo/gentoo/pull/3394
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2017-01-15 07:04:12 UTC
@maintainer(s), may we merge this PR or can you?
Comment 10 Yixun Lan archtester gentoo-dev 2017-01-16 04:27:54 UTC
commit e994b8d5f66c45bc0af44dfc86c7c96580557cdb
Author: Yixun Lan <dlan@gentoo.org>
Date:   Mon Jan 16 12:18:53 2017 +0800

    sys-cluster/ceph: fix "RGW Denial of Service" security bug

    reasons for why p.mask them instead of removing:

    ceph has kind of picky upgrade path for new versions.
    for example, users want an online upgrade to 10.x while they are still using
    old version (<0.94.x), need to upgrade to 0.94.x/9.x first, then upgrade 10.x

    http://docs.ceph.com/docs/master/release-notes/
    search: Upgrading from Firefly

    Closes: https://github.com/gentoo/gentoo/pull/3394

    Gentoo-Bug: 598206

    Signed-off-by: Yixun Lan <dlan@gentoo.org>

:100644 100644 cb176eb7ee... 944e75c266... M    profiles/package.mask


https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e994b8d5f66c45bc0af44dfc86c7c96580557cdb
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-10-15 13:57:04 UTC
(In reply to Yixun Lan from comment #10)
> commit e994b8d5f66c45bc0af44dfc86c7c96580557cdb
> Author: Yixun Lan <dlan@gentoo.org>
> Date:   Mon Jan 16 12:18:53 2017 +0800
> 
>     sys-cluster/ceph: fix "RGW Denial of Service" security bug
> 
>     reasons for why p.mask them instead of removing:
> 
>     ceph has kind of picky upgrade path for new versions.
>     for example, users want an online upgrade to 10.x while they are still
> using
>     old version (<0.94.x), need to upgrade to 0.94.x/9.x first, then upgrade
> 10.x
> 
>     http://docs.ceph.com/docs/master/release-notes/
>     search: Upgrading from Firefly
> 
>     Closes: https://github.com/gentoo/gentoo/pull/3394
> 
>     Gentoo-Bug: 598206
> 
>     Signed-off-by: Yixun Lan <dlan@gentoo.org>
> 
> :100644 100644 cb176eb7ee... 944e75c266... M    profiles/package.mask
> 
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=e994b8d5f66c45bc0af44dfc86c7c96580557cdb

Do you think cleanup can proceed at this point?
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2018-01-20 15:54:57 UTC
Tree is clean.