Your message dated Mon, 08 Jun 2026 20:20:15 +0000
with message-id <[email protected]>
and subject line Bug#1120797: fixed in ceph 18.2.7+ds-1+deb13u1
has caused the Debian Bug report #1120797,
regarding ceph: CVE-2024-47866
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1120797: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120797
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ceph
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for ceph.
CVE-2024-47866[0]:
| Ceph is a distributed object, block, and file storage platform. In
| versions up to and including 19.2.3, using the argument `x-amz-copy-
| source` to put an object and specifying an empty string as its
| content leads to the RGW daemon crashing, resulting in a DoS attack.
| As of time of publication, no known patched versions exist.
https://www.openwall.com/lists/oss-security/2025/11/11/3
https://github.com/ceph/ceph/security/advisories/GHSA-mgrm-g92q-f8h8
https://tracker.ceph.com/issues/72669
https://github.com/ceph/ceph/pull/65159
https://github.com/ceph/ceph/commit/bef59f17293e6e93af025eba1e00646d0b1a2bf0
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-47866
https://www.cve.org/CVERecord?id=CVE-2024-47866
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: ceph
Source-Version: 18.2.7+ds-1+deb13u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ceph, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated ceph package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 May 2026 21:17:37 +0200
Source: ceph
Architecture: source
Version: 18.2.7+ds-1+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Ceph Packaging Team <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1120797 1126573
Changes:
ceph (18.2.7+ds-1+deb13u1) trixie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* mgr/alerts: enforce ssl context to SMTP_SSL (CVE-2024-31884)
(Closes: #1126573)
* Check if `HTTP_X_AMZ_COPY_SOURCE` header is empty (CVE-2024-47866)
(Closes: #1120797)
Checksums-Sha1:
50da72bc51258f76a8a47ee834a203364ba38677 8870 ceph_18.2.7+ds-1+deb13u1.dsc
452fe1267ab61f81bf3d4111767964dd8a44a57a 148306992 ceph_18.2.7+ds.orig.tar.xz
479a26deb7955855b0c412a4b70d3a3c5424ded5 141944
ceph_18.2.7+ds-1+deb13u1.debian.tar.xz
d11130885dfc400cdb3ddd31eeb04982a3876795 8045
ceph_18.2.7+ds-1+deb13u1_source.buildinfo
Checksums-Sha256:
97a25e3d292c8004e5b7e98307d3f178583f61e5840354638b420a12114b5e8d 8870
ceph_18.2.7+ds-1+deb13u1.dsc
71c0795fa0d6312ec7b57dee4031559b7e62e086a78e6ae1ad8549e0b351e28f 148306992
ceph_18.2.7+ds.orig.tar.xz
968e551356cb2ee212da405409b32f61545d9e43306fca5a0a1e5d2988c2844f 141944
ceph_18.2.7+ds-1+deb13u1.debian.tar.xz
7a9beb522c890179dfb98400372478cbcb785ac74558267fe56a8e024d10c5d1 8045
ceph_18.2.7+ds-1+deb13u1_source.buildinfo
Files:
ee9a9467628342aa95f5890ef466078b 8870 admin optional
ceph_18.2.7+ds-1+deb13u1.dsc
2788cb630bf061763d893e4fea8c23a0 148306992 admin optional
ceph_18.2.7+ds.orig.tar.xz
f4e74b2970c6bcf95bff30edbf5ca06d 141944 admin optional
ceph_18.2.7+ds-1+deb13u1.debian.tar.xz
2123d25828edb4450022730feae7b509 8045 admin optional
ceph_18.2.7+ds-1+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoJziNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EqoIP/RZbkNPMzW8T+9eNNvv4rMzIPmuGN+Z0
ZAv/xAPEuwTb6cjKnARIIwqmyagdRHQIlN4Za2k6vfYPA+VHfMIMqVjwvDiZgmsh
HUh8wh9WBjmgawWnucONXf4ssuUIISZ/SK75AhQzkFHIX575djir3OdMz5DWLMet
YJBxP1m9Vgp+3jTyQ+Oq7ZZZf5i7Zlm9JrFfU/R2+Hw3yVRG/kXuTN1kvBHSI2hK
qlkX11wKmoMxtcp6hfv2KzOS49UWh40vf+145Bxf3yzq0ijmBlfpDRAQbOWfW9eC
Z1iB+8jSFxi3wa5bX3eWMqIgmddp9EzODo7fr6Je5gSBlGXXahwxUY71YFdSWmQw
Z+rILxBujYTStpHgcd5DRiPuOUTDis7d6uExOZXkIa4QPP7zIiTebCU7IbQK/Dwp
gXYRUzHMlaAn8EVE3DIkepmbvhCrGS8to+z4JEsWofGRpHY3VnJ6ym4KVfiJ36z1
dynGKsEZyDFd8F5VdUuWVamtPvrDv0FbAfxOY9lxbfXMR9wwjNGwm9SZtCbux0Iu
jdHDQv3gFYL82wlKaMQ0GtL+51Q/7D5WpxfKwJVPgR4pGVnu203JqxfeVhuDyhkO
gHbtXH4bMV+xVkpmIwkSkeKkFNUG2crDscXVWfHEefhN9emJ1mzlj4gm5EPUbW2Y
gVqIwVG1sJVh
=TGrf
-----END PGP SIGNATURE-----
pgphenahx2T3n.pgp
Description: PGP signature
--- End Message ---
