Hi Salvatore Bonaccorso <car...@debian.org> writes:
> Source: ceph > Version: 0.80.7-2 > Severity: important > Tags: security upstream > Forwarded: http://tracker.ceph.com/issues/12537 > > Hi, > > the following vulnerability was published for ceph. > > CVE-2015-5245[0]: > Ceph: Rados rest gateway returns requested bucket name raw in Bucket response > header > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2015-5245 > [1] http://tracker.ceph.com/issues/12537 I fail to see how this is a security issue. It's clearly a bug, but AFAICS you can only shoot yourself in the foot with it. There is no explanation in the upstream issue tracker why this was assigned a CVE ID. But as I'm by no means an expert on these issues I would appreciate someone else looking at this. Do other distros plan an update for this? If my assessment is correct I think we can fix this with a stable update. I already tried to convince the stable release team to allow minor updates to stable. See #784373. A backport to the stable firefly branch (which is in Debian stable) is in progress upstream. Gaudenz
signature.asc
Description: PGP signature