Salvatore Bonaccorso <car...@debian.org> writes:
> Hi,
> the following vulnerability was published for ceph.
> CVE-2018-7262[0]:
> |Malformed HTTP requests handled in rgw_civetweb.cc:RGW::init_env() can
> |lead to NULL pointer dereference

Thanks for the information. I backported the upstream fix to the version
in stretch and I'm currently in the process of building the package
(takes several hours). How do you want me to proceed if the package
builds fine and testing does not result in any errors?

This may lead to a crash of the RGW process if sent a malformed HTTP
header which could result in a denial of service. Does this warrant an
upload to security or should this only be fixed via a stable point
release? Do you want to review the debdiff before the upload? The
debdiff of the test package I'm currently building is attached to this

FYI RGW is the part of Ceph which implements the Amazon S3 API on top of
the Ceph distributed storage.


Attachment: ceph_10.2.5-7.2+deb9u1.debdiff
Description: Binary data

PGP: 836E 4F81 EFBB ADA7 0852 79BF A97A 7702 BAF9 1EF5

Attachment: signature.asc
Description: PGP signature

Reply via email to