Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package ceph,
I've upgraded the package to upstream release 14.2.21, which contains the
subject's CVE fixes. The Ceph release notes are over here:
https://docs.ceph.com/en/latest/releases/nautilus/
As you can see, the upstream point release only contains the 3 CVE fixes,
and one minor fix reversion.
[ Reason ]
CVE fixes.
[ Impact ]
CVE holes...
[ Tests ]
As discussed when unblocking 14.2.20, Ceph upstream has a full unit and
functional test suite that they run regularly.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
Note that I have stripped-away the compiled JS code in the debdiff, as
otherwise, the debdiff would be too big.
Cheers,
Thomas Goirand (zigo)
unblock ceph/14.2.21-1
diff -Nru ceph-14.2.20/alpine/APKBUILD ceph-14.2.21/alpine/APKBUILD
--- ceph-14.2.20/alpine/APKBUILD 2021-04-19 16:13:23.000000000 +0200
+++ ceph-14.2.21/alpine/APKBUILD 2021-05-13 19:25:52.000000000 +0200
@@ -1,7 +1,7 @@
# Contributor: John Coyle <dx9...@gmail.com>
# Maintainer: John Coyle <dx9...@gmail.com>
pkgname=ceph
-pkgver=14.2.20
+pkgver=14.2.21
pkgrel=0
pkgdesc="Ceph is a distributed object store and file system"
pkgusers="ceph"
@@ -64,7 +64,7 @@
xmlstarlet
yasm
"
-source="ceph-14.2.20.tar.bz2"
+source="ceph-14.2.21.tar.bz2"
subpackages="
$pkgname-base
$pkgname-common
@@ -117,7 +117,7 @@
_udevrulesdir=/etc/udev/rules.d
_python_sitelib=/usr/lib/python2.7/site-packages
-builddir=$srcdir/ceph-14.2.20
+builddir=$srcdir/ceph-14.2.21
build() {
export CEPH_BUILD_VIRTUALENV=$builddir
diff -Nru ceph-14.2.20/ceph.spec ceph-14.2.21/ceph.spec
--- ceph-14.2.20/ceph.spec 2021-04-19 16:13:23.000000000 +0200
+++ ceph-14.2.21/ceph.spec 2021-05-13 19:25:52.000000000 +0200
@@ -109,7 +109,7 @@
# main package definition
#################################################################################
Name: ceph
-Version: 14.2.20
+Version: 14.2.21
Release: 0%{?dist}
%if 0%{?fedora} || 0%{?rhel}
Epoch: 2
@@ -125,7 +125,7 @@
Group: System/Filesystems
%endif
URL: http://ceph.com/
-Source0: %{?_remote_tarball_prefix}ceph-14.2.20.tar.bz2
+Source0: %{?_remote_tarball_prefix}ceph-14.2.21.tar.bz2
%if 0%{?suse_version}
# _insert_obs_source_lines_here
ExclusiveArch: x86_64 aarch64 ppc64le s390x
@@ -1142,7 +1142,7 @@
# common
#################################################################################
%prep
-%autosetup -p1 -n ceph-14.2.20
+%autosetup -p1 -n ceph-14.2.21
%build
# LTO can be enabled as soon as the following GCC bug is fixed:
diff -Nru ceph-14.2.20/CMakeLists.txt ceph-14.2.21/CMakeLists.txt
--- ceph-14.2.20/CMakeLists.txt 2021-04-19 16:11:15.000000000 +0200
+++ ceph-14.2.21/CMakeLists.txt 2021-05-13 19:23:08.000000000 +0200
@@ -1,7 +1,7 @@
cmake_minimum_required(VERSION 3.5.1)
project(ceph CXX C ASM)
-set(VERSION 14.2.20)
+set(VERSION 14.2.21)
if(POLICY CMP0028)
cmake_policy(SET CMP0028 NEW)
diff -Nru ceph-14.2.20/debian/changelog ceph-14.2.21/debian/changelog
--- ceph-14.2.20/debian/changelog 2021-04-21 10:02:07.000000000 +0200
+++ ceph-14.2.21/debian/changelog 2021-05-27 12:04:21.000000000 +0200
@@ -1,3 +1,13 @@
+ceph (14.2.21-1) unstable; urgency=high
+
+ * New upstream release, resolving these:
+ - CVE-2021-3509: Cross Site Scripting via token Cookie (Closes: #988888).
+ - CVE-2021-3524: injection of HTTP headers via a CORS ExposeHeader tag in
+ the Ceph Storage RadosGW (Closes: #988889).
+ - CVE-2021-3531: RadosGW denial of service (crash) (Closes: #988890).
+
+ -- Thomas Goirand <z...@debian.org> Thu, 27 May 2021 12:04:21 +0200
+
ceph (14.2.20-2) unstable; urgency=medium
* Add allow-bgp-to-host.patch.
diff -Nru ceph-14.2.20/src/.git_version ceph-14.2.21/src/.git_version
--- ceph-14.2.20/src/.git_version 2021-04-19 16:13:23.000000000 +0200
+++ ceph-14.2.21/src/.git_version 2021-05-13 19:25:52.000000000 +0200
@@ -1,2 +1,2 @@
-36274af6eb7f2a5055f2d53ad448f2694e9046a0
-v14.2.20
+5ef401921d7a88aea18ec7558f7f9374ebd8f5a6
+v14.2.21
diff -Nru ceph-14.2.20/src/pybind/mgr/dashboard/controllers/docs.py
ceph-14.2.21/src/pybind/mgr/dashboard/controllers/docs.py
--- ceph-14.2.20/src/pybind/mgr/dashboard/controllers/docs.py 2021-04-19
16:11:15.000000000 +0200
+++ ceph-14.2.21/src/pybind/mgr/dashboard/controllers/docs.py 2021-05-13
19:23:08.000000000 +0200
@@ -3,8 +3,7 @@
import cherrypy
-from . import Controller, BaseController, Endpoint, ENDPOINT_MAP, \
- allow_empty_body
+from . import Controller, BaseController, Endpoint, ENDPOINT_MAP
from .. import logger, mgr
from ..tools import str_to_bool
@@ -366,31 +365,13 @@
def api_all_json(self):
return self._gen_spec(True, "/api")
- def _swagger_ui_page(self, all_endpoints=False, token=None):
+ def _swagger_ui_page(self, all_endpoints=False):
base = cherrypy.request.base
if all_endpoints:
spec_url = "{}/docs/api-all.json".format(base)
else:
spec_url = "{}/docs/api.json".format(base)
- auth_header = cherrypy.request.headers.get('authorization')
- auth_cookie = cherrypy.request.cookie['token']
- jwt_token = ""
- if auth_cookie is not None:
- jwt_token = auth_cookie.value
- elif auth_header is not None:
- scheme, params = auth_header.split(' ', 1)
- if scheme.lower() == 'bearer':
- jwt_token = params
- else:
- if token is not None:
- jwt_token = token
-
- api_key_callback = """, onComplete: () => {{
- ui.preauthorizeApiKey('jwt', '{}');
- }}
- """.format(jwt_token)
-
page = """
<!DOCTYPE html>
<html>
@@ -431,23 +412,16 @@
SwaggerUIBundle.presets.apis
],
layout: "BaseLayout"
- {}
}})
window.ui = ui
}}
</script>
</body>
</html>
- """.format(spec_url, api_key_callback)
+ """.format(spec_url)
return page
@Endpoint(json_response=False)
def __call__(self, all_endpoints=False):
return self._swagger_ui_page(all_endpoints)
-
- @Endpoint('POST', path="/", json_response=False,
- query_params="{all_endpoints}")
- @allow_empty_body
- def _with_token(self, token, all_endpoints=False):
- return self._swagger_ui_page(all_endpoints, token)
diff -Nru ceph-14.2.20/src/pybind/mgr/dashboard/frontend/dist/en-US/index.html
ceph-14.2.21/src/pybind/mgr/dashboard/frontend/dist/en-US/index.html
--- ceph-14.2.20/src/pybind/mgr/dashboard/frontend/dist/en-US/index.html
2021-04-19 16:16:38.000000000 +0200
+++ ceph-14.2.21/src/pybind/mgr/dashboard/frontend/dist/en-US/index.html
2021-05-13 19:28:13.000000000 +0200
@@ -3,10 +3,9 @@
<head>
<meta charset="utf-8">
<title>Ceph</title>
- <base href="/">
<script>
- window['base-href'] = window.location.pathname;
+ document.write('<base href="' + document.location+ '" />');
</script>
<meta name="viewport" content="width=device-width, initial-scale=1">
@@ -25,5 +24,5 @@
</noscript>
<cd-root></cd-root>
-<script type="text/javascript"
src="runtime.ff444394af058f159c51.js"></script><script type="text/javascript"
src="polyfills.f31db31652a3fd9f4bca.js"></script><script type="text/javascript"
src="scripts.fc88ef4a23399c760d0b.js"></script><script type="text/javascript"
src="main.a755488a34fa64d1b79f.js"></script></body>
+<script type="text/javascript"
src="runtime.ff444394af058f159c51.js"></script><script type="text/javascript"
src="polyfills.f31db31652a3fd9f4bca.js"></script><script type="text/javascript"
src="scripts.fc88ef4a23399c760d0b.js"></script><script type="text/javascript"
src="main.a8acf27ca1415ab0d94b.js"></script></body>
</html>
diff -Nru ceph-14.2.20/src/pybind/mgr/dashboard/frontend/src/app/app.module.ts
ceph-14.2.21/src/pybind/mgr/dashboard/frontend/src/app/app.module.ts
--- ceph-14.2.20/src/pybind/mgr/dashboard/frontend/src/app/app.module.ts
2021-04-19 16:11:15.000000000 +0200
+++ ceph-14.2.21/src/pybind/mgr/dashboard/frontend/src/app/app.module.ts
2021-05-13 19:23:08.000000000 +0200
@@ -1,4 +1,3 @@
-import { APP_BASE_HREF } from '@angular/common';
import { HTTP_INTERCEPTORS, HttpClientModule } from '@angular/common/http';
import {
ErrorHandler,
@@ -59,10 +58,6 @@
multi: true
},
{
- provide: APP_BASE_HREF,
- useValue: window['base-href']
- },
- {
provide: TRANSLATIONS,
useFactory: (locale) => {
locale = locale || environment.default_lang;
diff -Nru ceph-14.2.20/src/pybind/mgr/dashboard/frontend/src/index.html
ceph-14.2.21/src/pybind/mgr/dashboard/frontend/src/index.html
--- ceph-14.2.20/src/pybind/mgr/dashboard/frontend/src/index.html
2021-04-19 16:11:15.000000000 +0200
+++ ceph-14.2.21/src/pybind/mgr/dashboard/frontend/src/index.html
2021-05-13 19:23:08.000000000 +0200
@@ -3,10 +3,9 @@
<head>
<meta charset="utf-8">
<title>Ceph</title>
- <base href="/">
<script>
- window['base-href'] = window.location.pathname;
+ document.write('<base href="' + document.location+ '" />');
</script>
<meta name="viewport" content="width=device-width, initial-scale=1">
diff -Nru ceph-14.2.20/src/rgw/rgw_cors.cc ceph-14.2.21/src/rgw/rgw_cors.cc
--- ceph-14.2.20/src/rgw/rgw_cors.cc 2021-04-19 16:11:15.000000000 +0200
+++ ceph-14.2.21/src/rgw/rgw_cors.cc 2021-05-13 19:23:08.000000000 +0200
@@ -148,8 +148,9 @@
if (s.length() > 0)
s.append(",");
// these values are sent to clients in a 'Access-Control-Expose-Headers'
- // response header, so we escape '\n' to avoid header injection
- boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n");
+ // response header, so we escape '\n' and '\r' to avoid header injection
+ std::string tmp = boost::replace_all_copy(header, "\n", "\\n");
+ boost::replace_all_copy(std::back_inserter(s), tmp, "\r", "\\r");
}
}
diff -Nru ceph-14.2.20/src/rgw/rgw_rest_swift.cc
ceph-14.2.21/src/rgw/rgw_rest_swift.cc
--- ceph-14.2.20/src/rgw/rgw_rest_swift.cc 2021-04-19 16:11:15.000000000
+0200
+++ ceph-14.2.21/src/rgw/rgw_rest_swift.cc 2021-05-13 19:23:08.000000000
+0200
@@ -2545,6 +2545,9 @@
return false;
} else if (subdir_name.back() == '/') {
subdir_name.pop_back();
+ if (subdir_name.empty()) {
+ return false;
+ }
}
rgw_obj obj(s->bucket, std::move(subdir_name));
diff -Nru ceph-14.2.20/src/test/debian-jessie/debian/changelog
ceph-14.2.21/src/test/debian-jessie/debian/changelog
--- ceph-14.2.20/src/test/debian-jessie/debian/changelog 2021-04-21
10:02:07.000000000 +0200
+++ ceph-14.2.21/src/test/debian-jessie/debian/changelog 2021-05-27
12:04:21.000000000 +0200
@@ -1,3 +1,13 @@
+ceph (14.2.21-1) unstable; urgency=high
+
+ * New upstream release, resolving these:
+ - CVE-2021-3509: Cross Site Scripting via token Cookie (Closes: #988888).
+ - CVE-2021-3524: injection of HTTP headers via a CORS ExposeHeader tag in
+ the Ceph Storage RadosGW (Closes: #988889).
+ - CVE-2021-3531: RadosGW denial of service (crash) (Closes: #988890).
+
+ -- Thomas Goirand <z...@debian.org> Thu, 27 May 2021 12:04:21 +0200
+
ceph (14.2.20-2) unstable; urgency=medium
* Add allow-bgp-to-host.patch.
diff -Nru ceph-14.2.20/src/test/ubuntu-16.04/debian/changelog
ceph-14.2.21/src/test/ubuntu-16.04/debian/changelog
--- ceph-14.2.20/src/test/ubuntu-16.04/debian/changelog 2021-04-21
10:02:07.000000000 +0200
+++ ceph-14.2.21/src/test/ubuntu-16.04/debian/changelog 2021-05-27
12:04:21.000000000 +0200
@@ -1,3 +1,13 @@
+ceph (14.2.21-1) unstable; urgency=high
+
+ * New upstream release, resolving these:
+ - CVE-2021-3509: Cross Site Scripting via token Cookie (Closes: #988888).
+ - CVE-2021-3524: injection of HTTP headers via a CORS ExposeHeader tag in
+ the Ceph Storage RadosGW (Closes: #988889).
+ - CVE-2021-3531: RadosGW denial of service (crash) (Closes: #988890).
+
+ -- Thomas Goirand <z...@debian.org> Thu, 27 May 2021 12:04:21 +0200
+
ceph (14.2.20-2) unstable; urgency=medium
* Add allow-bgp-to-host.patch.
diff -Nru ceph-14.2.20/src/test/ubuntu-18.04/debian/changelog
ceph-14.2.21/src/test/ubuntu-18.04/debian/changelog
--- ceph-14.2.20/src/test/ubuntu-18.04/debian/changelog 2021-04-21
10:02:07.000000000 +0200
+++ ceph-14.2.21/src/test/ubuntu-18.04/debian/changelog 2021-05-27
12:04:21.000000000 +0200
@@ -1,3 +1,13 @@
+ceph (14.2.21-1) unstable; urgency=high
+
+ * New upstream release, resolving these:
+ - CVE-2021-3509: Cross Site Scripting via token Cookie (Closes: #988888).
+ - CVE-2021-3524: injection of HTTP headers via a CORS ExposeHeader tag in
+ the Ceph Storage RadosGW (Closes: #988889).
+ - CVE-2021-3531: RadosGW denial of service (crash) (Closes: #988890).
+
+ -- Thomas Goirand <z...@debian.org> Thu, 27 May 2021 12:04:21 +0200
+
ceph (14.2.20-2) unstable; urgency=medium
* Add allow-bgp-to-host.patch.
