Hi Thomas, On Wed, Dec 14, 2022 at 11:52:16AM +0100, Thomas Goirand wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian....@packages.debian.org > Usertags: pu > > Hi, > > I have prepared an update for Ceph in Bullseye to address > CVE-2022-3650 (ie: ceph to root privilege escalation). > The security team already told me that there will be no DSA. > > [ Reason ] > (Explain what the reason for the (old-)stable update is. I.e. > what is the bug, when was it introduced, is this a regression > with respect to the previous (old-)stable.) > > [ Impact ] > Anyone logged as Ceph can become root whenever there's a disk > event without the attached patch. > > [ Tests ] > Upstream runs functional test suite, and I trust it. > > [ Risks ] > The code is quite trivial and easy to backport (python code). > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > The Python code checks input better and avoid privilege escalation. > See attached debdiff, it's quite readable. > > Cheers, > > Thomas Goirand (zigo)
> diff -Nru ceph-14.2.21/debian/changelog ceph-14.2.21/debian/changelog > --- ceph-14.2.21/debian/changelog 2021-05-27 12:04:21.000000000 +0200 > +++ ceph-14.2.21/debian/changelog 2022-11-30 14:20:19.000000000 +0100 > @@ -1,3 +1,10 @@ > +ceph (14.2.21-1+deb11u1) bullseye-security; urgency=medium > + > + * CVE-2022-3650: privilege escalation from the ceph user to root. Applied > + upstream patches (Closes: #1024932). For the upload via bullseye-pu the target distribution needs to be changed as well to 'bullseye'. Regards, Salvatore