Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package ceph, I've upgraded the package to upstream release 14.2.21, which contains the subject's CVE fixes. The Ceph release notes are over here: https://docs.ceph.com/en/latest/releases/nautilus/ As you can see, the upstream point release only contains the 3 CVE fixes, and one minor fix reversion. [ Reason ] CVE fixes. [ Impact ] CVE holes... [ Tests ] As discussed when unblocking 14.2.20, Ceph upstream has a full unit and functional test suite that they run regularly. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing Note that I have stripped-away the compiled JS code in the debdiff, as otherwise, the debdiff would be too big. Cheers, Thomas Goirand (zigo) unblock ceph/14.2.21-1
diff -Nru ceph-14.2.20/alpine/APKBUILD ceph-14.2.21/alpine/APKBUILD --- ceph-14.2.20/alpine/APKBUILD 2021-04-19 16:13:23.000000000 +0200 +++ ceph-14.2.21/alpine/APKBUILD 2021-05-13 19:25:52.000000000 +0200 @@ -1,7 +1,7 @@ # Contributor: John Coyle <dx9...@gmail.com> # Maintainer: John Coyle <dx9...@gmail.com> pkgname=ceph -pkgver=14.2.20 +pkgver=14.2.21 pkgrel=0 pkgdesc="Ceph is a distributed object store and file system" pkgusers="ceph" @@ -64,7 +64,7 @@ xmlstarlet yasm " -source="ceph-14.2.20.tar.bz2" +source="ceph-14.2.21.tar.bz2" subpackages=" $pkgname-base $pkgname-common @@ -117,7 +117,7 @@ _udevrulesdir=/etc/udev/rules.d _python_sitelib=/usr/lib/python2.7/site-packages -builddir=$srcdir/ceph-14.2.20 +builddir=$srcdir/ceph-14.2.21 build() { export CEPH_BUILD_VIRTUALENV=$builddir diff -Nru ceph-14.2.20/ceph.spec ceph-14.2.21/ceph.spec --- ceph-14.2.20/ceph.spec 2021-04-19 16:13:23.000000000 +0200 +++ ceph-14.2.21/ceph.spec 2021-05-13 19:25:52.000000000 +0200 @@ -109,7 +109,7 @@ # main package definition ################################################################################# Name: ceph -Version: 14.2.20 +Version: 14.2.21 Release: 0%{?dist} %if 0%{?fedora} || 0%{?rhel} Epoch: 2 @@ -125,7 +125,7 @@ Group: System/Filesystems %endif URL: http://ceph.com/ -Source0: %{?_remote_tarball_prefix}ceph-14.2.20.tar.bz2 +Source0: %{?_remote_tarball_prefix}ceph-14.2.21.tar.bz2 %if 0%{?suse_version} # _insert_obs_source_lines_here ExclusiveArch: x86_64 aarch64 ppc64le s390x @@ -1142,7 +1142,7 @@ # common ################################################################################# %prep -%autosetup -p1 -n ceph-14.2.20 +%autosetup -p1 -n ceph-14.2.21 %build # LTO can be enabled as soon as the following GCC bug is fixed: diff -Nru ceph-14.2.20/CMakeLists.txt ceph-14.2.21/CMakeLists.txt --- ceph-14.2.20/CMakeLists.txt 2021-04-19 16:11:15.000000000 +0200 +++ ceph-14.2.21/CMakeLists.txt 2021-05-13 19:23:08.000000000 +0200 @@ -1,7 +1,7 @@ cmake_minimum_required(VERSION 3.5.1) project(ceph CXX C ASM) -set(VERSION 14.2.20) +set(VERSION 14.2.21) if(POLICY CMP0028) cmake_policy(SET CMP0028 NEW) diff -Nru ceph-14.2.20/debian/changelog ceph-14.2.21/debian/changelog --- ceph-14.2.20/debian/changelog 2021-04-21 10:02:07.000000000 +0200 +++ ceph-14.2.21/debian/changelog 2021-05-27 12:04:21.000000000 +0200 @@ -1,3 +1,13 @@ +ceph (14.2.21-1) unstable; urgency=high + + * New upstream release, resolving these: + - CVE-2021-3509: Cross Site Scripting via token Cookie (Closes: #988888). + - CVE-2021-3524: injection of HTTP headers via a CORS ExposeHeader tag in + the Ceph Storage RadosGW (Closes: #988889). + - CVE-2021-3531: RadosGW denial of service (crash) (Closes: #988890). + + -- Thomas Goirand <z...@debian.org> Thu, 27 May 2021 12:04:21 +0200 + ceph (14.2.20-2) unstable; urgency=medium * Add allow-bgp-to-host.patch. diff -Nru ceph-14.2.20/src/.git_version ceph-14.2.21/src/.git_version --- ceph-14.2.20/src/.git_version 2021-04-19 16:13:23.000000000 +0200 +++ ceph-14.2.21/src/.git_version 2021-05-13 19:25:52.000000000 +0200 @@ -1,2 +1,2 @@ -36274af6eb7f2a5055f2d53ad448f2694e9046a0 -v14.2.20 +5ef401921d7a88aea18ec7558f7f9374ebd8f5a6 +v14.2.21 diff -Nru ceph-14.2.20/src/pybind/mgr/dashboard/controllers/docs.py ceph-14.2.21/src/pybind/mgr/dashboard/controllers/docs.py --- ceph-14.2.20/src/pybind/mgr/dashboard/controllers/docs.py 2021-04-19 16:11:15.000000000 +0200 +++ ceph-14.2.21/src/pybind/mgr/dashboard/controllers/docs.py 2021-05-13 19:23:08.000000000 +0200 @@ -3,8 +3,7 @@ import cherrypy -from . import Controller, BaseController, Endpoint, ENDPOINT_MAP, \ - allow_empty_body +from . import Controller, BaseController, Endpoint, ENDPOINT_MAP from .. import logger, mgr from ..tools import str_to_bool @@ -366,31 +365,13 @@ def api_all_json(self): return self._gen_spec(True, "/api") - def _swagger_ui_page(self, all_endpoints=False, token=None): + def _swagger_ui_page(self, all_endpoints=False): base = cherrypy.request.base if all_endpoints: spec_url = "{}/docs/api-all.json".format(base) else: spec_url = "{}/docs/api.json".format(base) - auth_header = cherrypy.request.headers.get('authorization') - auth_cookie = cherrypy.request.cookie['token'] - jwt_token = "" - if auth_cookie is not None: - jwt_token = auth_cookie.value - elif auth_header is not None: - scheme, params = auth_header.split(' ', 1) - if scheme.lower() == 'bearer': - jwt_token = params - else: - if token is not None: - jwt_token = token - - api_key_callback = """, onComplete: () => {{ - ui.preauthorizeApiKey('jwt', '{}'); - }} - """.format(jwt_token) - page = """ <!DOCTYPE html> <html> @@ -431,23 +412,16 @@ SwaggerUIBundle.presets.apis ], layout: "BaseLayout" - {} }}) window.ui = ui }} </script> </body> </html> - """.format(spec_url, api_key_callback) + """.format(spec_url) return page @Endpoint(json_response=False) def __call__(self, all_endpoints=False): return self._swagger_ui_page(all_endpoints) - - @Endpoint('POST', path="/", json_response=False, - query_params="{all_endpoints}") - @allow_empty_body - def _with_token(self, token, all_endpoints=False): - return self._swagger_ui_page(all_endpoints, token) diff -Nru ceph-14.2.20/src/pybind/mgr/dashboard/frontend/dist/en-US/index.html ceph-14.2.21/src/pybind/mgr/dashboard/frontend/dist/en-US/index.html --- ceph-14.2.20/src/pybind/mgr/dashboard/frontend/dist/en-US/index.html 2021-04-19 16:16:38.000000000 +0200 +++ ceph-14.2.21/src/pybind/mgr/dashboard/frontend/dist/en-US/index.html 2021-05-13 19:28:13.000000000 +0200 @@ -3,10 +3,9 @@ <head> <meta charset="utf-8"> <title>Ceph</title> - <base href="/"> <script> - window['base-href'] = window.location.pathname; + document.write('<base href="' + document.location+ '" />'); </script> <meta name="viewport" content="width=device-width, initial-scale=1"> @@ -25,5 +24,5 @@ </noscript> <cd-root></cd-root> -<script type="text/javascript" src="runtime.ff444394af058f159c51.js"></script><script type="text/javascript" src="polyfills.f31db31652a3fd9f4bca.js"></script><script type="text/javascript" src="scripts.fc88ef4a23399c760d0b.js"></script><script type="text/javascript" src="main.a755488a34fa64d1b79f.js"></script></body> +<script type="text/javascript" src="runtime.ff444394af058f159c51.js"></script><script type="text/javascript" src="polyfills.f31db31652a3fd9f4bca.js"></script><script type="text/javascript" src="scripts.fc88ef4a23399c760d0b.js"></script><script type="text/javascript" src="main.a8acf27ca1415ab0d94b.js"></script></body> </html> diff -Nru ceph-14.2.20/src/pybind/mgr/dashboard/frontend/src/app/app.module.ts ceph-14.2.21/src/pybind/mgr/dashboard/frontend/src/app/app.module.ts --- ceph-14.2.20/src/pybind/mgr/dashboard/frontend/src/app/app.module.ts 2021-04-19 16:11:15.000000000 +0200 +++ ceph-14.2.21/src/pybind/mgr/dashboard/frontend/src/app/app.module.ts 2021-05-13 19:23:08.000000000 +0200 @@ -1,4 +1,3 @@ -import { APP_BASE_HREF } from '@angular/common'; import { HTTP_INTERCEPTORS, HttpClientModule } from '@angular/common/http'; import { ErrorHandler, @@ -59,10 +58,6 @@ multi: true }, { - provide: APP_BASE_HREF, - useValue: window['base-href'] - }, - { provide: TRANSLATIONS, useFactory: (locale) => { locale = locale || environment.default_lang; diff -Nru ceph-14.2.20/src/pybind/mgr/dashboard/frontend/src/index.html ceph-14.2.21/src/pybind/mgr/dashboard/frontend/src/index.html --- ceph-14.2.20/src/pybind/mgr/dashboard/frontend/src/index.html 2021-04-19 16:11:15.000000000 +0200 +++ ceph-14.2.21/src/pybind/mgr/dashboard/frontend/src/index.html 2021-05-13 19:23:08.000000000 +0200 @@ -3,10 +3,9 @@ <head> <meta charset="utf-8"> <title>Ceph</title> - <base href="/"> <script> - window['base-href'] = window.location.pathname; + document.write('<base href="' + document.location+ '" />'); </script> <meta name="viewport" content="width=device-width, initial-scale=1"> diff -Nru ceph-14.2.20/src/rgw/rgw_cors.cc ceph-14.2.21/src/rgw/rgw_cors.cc --- ceph-14.2.20/src/rgw/rgw_cors.cc 2021-04-19 16:11:15.000000000 +0200 +++ ceph-14.2.21/src/rgw/rgw_cors.cc 2021-05-13 19:23:08.000000000 +0200 @@ -148,8 +148,9 @@ if (s.length() > 0) s.append(","); // these values are sent to clients in a 'Access-Control-Expose-Headers' - // response header, so we escape '\n' to avoid header injection - boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n"); + // response header, so we escape '\n' and '\r' to avoid header injection + std::string tmp = boost::replace_all_copy(header, "\n", "\\n"); + boost::replace_all_copy(std::back_inserter(s), tmp, "\r", "\\r"); } } diff -Nru ceph-14.2.20/src/rgw/rgw_rest_swift.cc ceph-14.2.21/src/rgw/rgw_rest_swift.cc --- ceph-14.2.20/src/rgw/rgw_rest_swift.cc 2021-04-19 16:11:15.000000000 +0200 +++ ceph-14.2.21/src/rgw/rgw_rest_swift.cc 2021-05-13 19:23:08.000000000 +0200 @@ -2545,6 +2545,9 @@ return false; } else if (subdir_name.back() == '/') { subdir_name.pop_back(); + if (subdir_name.empty()) { + return false; + } } rgw_obj obj(s->bucket, std::move(subdir_name)); diff -Nru ceph-14.2.20/src/test/debian-jessie/debian/changelog ceph-14.2.21/src/test/debian-jessie/debian/changelog --- ceph-14.2.20/src/test/debian-jessie/debian/changelog 2021-04-21 10:02:07.000000000 +0200 +++ ceph-14.2.21/src/test/debian-jessie/debian/changelog 2021-05-27 12:04:21.000000000 +0200 @@ -1,3 +1,13 @@ +ceph (14.2.21-1) unstable; urgency=high + + * New upstream release, resolving these: + - CVE-2021-3509: Cross Site Scripting via token Cookie (Closes: #988888). + - CVE-2021-3524: injection of HTTP headers via a CORS ExposeHeader tag in + the Ceph Storage RadosGW (Closes: #988889). + - CVE-2021-3531: RadosGW denial of service (crash) (Closes: #988890). + + -- Thomas Goirand <z...@debian.org> Thu, 27 May 2021 12:04:21 +0200 + ceph (14.2.20-2) unstable; urgency=medium * Add allow-bgp-to-host.patch. diff -Nru ceph-14.2.20/src/test/ubuntu-16.04/debian/changelog ceph-14.2.21/src/test/ubuntu-16.04/debian/changelog --- ceph-14.2.20/src/test/ubuntu-16.04/debian/changelog 2021-04-21 10:02:07.000000000 +0200 +++ ceph-14.2.21/src/test/ubuntu-16.04/debian/changelog 2021-05-27 12:04:21.000000000 +0200 @@ -1,3 +1,13 @@ +ceph (14.2.21-1) unstable; urgency=high + + * New upstream release, resolving these: + - CVE-2021-3509: Cross Site Scripting via token Cookie (Closes: #988888). + - CVE-2021-3524: injection of HTTP headers via a CORS ExposeHeader tag in + the Ceph Storage RadosGW (Closes: #988889). + - CVE-2021-3531: RadosGW denial of service (crash) (Closes: #988890). + + -- Thomas Goirand <z...@debian.org> Thu, 27 May 2021 12:04:21 +0200 + ceph (14.2.20-2) unstable; urgency=medium * Add allow-bgp-to-host.patch. diff -Nru ceph-14.2.20/src/test/ubuntu-18.04/debian/changelog ceph-14.2.21/src/test/ubuntu-18.04/debian/changelog --- ceph-14.2.20/src/test/ubuntu-18.04/debian/changelog 2021-04-21 10:02:07.000000000 +0200 +++ ceph-14.2.21/src/test/ubuntu-18.04/debian/changelog 2021-05-27 12:04:21.000000000 +0200 @@ -1,3 +1,13 @@ +ceph (14.2.21-1) unstable; urgency=high + + * New upstream release, resolving these: + - CVE-2021-3509: Cross Site Scripting via token Cookie (Closes: #988888). + - CVE-2021-3524: injection of HTTP headers via a CORS ExposeHeader tag in + the Ceph Storage RadosGW (Closes: #988889). + - CVE-2021-3531: RadosGW denial of service (crash) (Closes: #988890). + + -- Thomas Goirand <z...@debian.org> Thu, 27 May 2021 12:04:21 +0200 + ceph (14.2.20-2) unstable; urgency=medium * Add allow-bgp-to-host.patch.