Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 710746 (CVE-2020-1699) - <sys-cluster/ceph-14.2.5: improper URL checking leads to information disclosure (CVE-2020-1699)
Summary: <sys-cluster/ceph-14.2.5: improper URL checking leads to information disclosu...
Status: RESOLVED FIXED
Alias: CVE-2020-1699
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://tracker.ceph.com/issues/41320
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-25 00:38 UTC by GLSAMaker/CVETool Bot
Modified: 2020-04-16 07:11 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-02-25 00:38:25 UTC 
CVE-2020-1699 (https://nvd.nist.gov/vuln/detail/CVE-2020-1699):
  improper URL checking leads to information disclosure
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-13 23:23:36 UTC 
PR (patches): https://github.com/ceph/ceph/pull/30445

Earliest upstream release fixed: 15.1.0
Comment 2 Patrick McLean gentoo-dev 2020-03-13 23:45:23 UTC 
15.1.0 is an alpha release, we cannot pull that in.

We should wait for a backport in to the 14.2 series.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-13 23:50:35 UTC 
(In reply to Patrick McLean from comment #2)
> 15.1.0 is an alpha release, we cannot pull that in.
> 
> We should wait for a backport in to the 14.2 series.

Sorry for the confusion, there is a backport to Nautilus which I believe is the stable series 14.2.x:

https://github.com/ceph/ceph/pull/31413

It is included in 14.2.5 (https://tracker.ceph.com/issues/41980).
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2020-04-16 07:10:42 UTC 
14.2.5 Not in tree. 14.2.7 is current stable version.
GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].