Hi Gaudenz, On Fri, Sep 18, 2015 at 05:26:18PM +0200, Gaudenz Steinlin wrote: > Gaudenz Steinlin <gaud...@debian.org> writes: > > > Hi > > > > Salvatore Bonaccorso <car...@debian.org> writes: > > > >> Source: ceph > >> Version: 0.80.7-2 > >> Severity: important > >> Tags: security upstream > >> Forwarded: http://tracker.ceph.com/issues/12537 > >> > >> Hi, > >> > >> the following vulnerability was published for ceph. > >> > >> CVE-2015-5245[0]: > >> Ceph: Rados rest gateway returns requested bucket name raw in Bucket > >> response header > >> > >> If you fix the vulnerability please also make sure to include the > >> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > >> > >> For further information see: > >> > >> [0] https://security-tracker.debian.org/tracker/CVE-2015-5245 > >> [1] http://tracker.ceph.com/issues/12537 > > > > I fail to see how this is a security issue. It's clearly a bug, but > > AFAICS you can only shoot yourself in the foot with it. There is no > > explanation in the upstream issue tracker why this was assigned a CVE > > ID. But as I'm by no means an expert on these issues I would appreciate > > someone else looking at this. Do other distros plan an update for this? > > > > If my assessment is correct I think we can fix this with a stable > > update. I already tried to convince the stable release team to allow > > minor updates to stable. See #784373. A backport to the stable firefly > > branch (which is in Debian stable) is in progress upstream. > > I'm a bit lost on the status of this bug. Do I interpret > https://security-tracker.debian.org/tracker/source-package/ceph right in > that this means the security team thinks this does not warrant a DSA? Or > does this just mean that no DSA has been issued yet? > > I'm still a bit unsure about the severity of this issue. As far as I > understand it, an attacker would have to trick someone into requesting a > specially crafted bucket name. How realistic is this in the context of > the RADOS gateway? > > I prepared an update which fixes this bug for stable. If the security > team want's to issue a DSA I can upload this. I alos attached the patch > to this mail, in case you want to do an upload yourself. If the security > team does not want to issue a DSA please say so, I'll then try to get > this fixed by a stable update.
The 'no-dsa' tag in the security-tracker indeed means: That no DSA for this issue is planned. Though clearly it would be good to have the issue fixed for stable via a stable proposed-update. Can you contact the stable release manager to schedule an update via spu? Regards and thanks for your work done! Salvatore