Your message dated Wed, 07 Jan 2026 08:53:55 +0000
with message-id <[email protected]>
and subject line Bug#1120797: fixed in ceph 18.2.7+ds-1.1
has caused the Debian Bug report #1120797,
regarding ceph: CVE-2024-47866
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1120797: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120797
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ceph
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for ceph.
CVE-2024-47866[0]:
| Ceph is a distributed object, block, and file storage platform. In
| versions up to and including 19.2.3, using the argument `x-amz-copy-
| source` to put an object and specifying an empty string as its
| content leads to the RGW daemon crashing, resulting in a DoS attack.
| As of time of publication, no known patched versions exist.
https://www.openwall.com/lists/oss-security/2025/11/11/3
https://github.com/ceph/ceph/security/advisories/GHSA-mgrm-g92q-f8h8
https://tracker.ceph.com/issues/72669
https://github.com/ceph/ceph/pull/65159
https://github.com/ceph/ceph/commit/bef59f17293e6e93af025eba1e00646d0b1a2bf0
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-47866
https://www.cve.org/CVERecord?id=CVE-2024-47866
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: ceph
Source-Version: 18.2.7+ds-1.1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ceph, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated ceph package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 05 Jan 2026 20:03:35 +0200
Source: ceph
Architecture: source
Version: 18.2.7+ds-1.1
Distribution: unstable
Urgency: medium
Maintainer: Ceph Packaging Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1096424 1120797
Changes:
ceph (18.2.7+ds-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Backport upstream fix for FTBFS with GCC 15. (Closes: #1096424)
* CVE-2024-47866: RGW DoS attack with empty HTTP header in S3
object copy. (Closes: #1120797)
Checksums-Sha1:
3bcdeb90ae32b948bd06e69ca7eb0ec0cb848f0d 8693 ceph_18.2.7+ds-1.1.dsc
864b2270165d4de4b67ecb613ff53a003ae00ccd 141712
ceph_18.2.7+ds-1.1.debian.tar.xz
Checksums-Sha256:
b752114a4c7d94ab82a99672239645bb43ac951d72bc1efa94714016514eab68 8693
ceph_18.2.7+ds-1.1.dsc
21d535b78fbb6b5aa912e63ef216db3b3074206b6f3fbb114be95852dc28a6ac 141712
ceph_18.2.7+ds-1.1.debian.tar.xz
Files:
4bbf6ba010dc4d6d17537e72f67a9a23 8693 admin optional ceph_18.2.7+ds-1.1.dsc
fe22e51cf233c4bb4dc93015c6a82ee5 141712 admin optional
ceph_18.2.7+ds-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmlcELUACgkQiNJCh6LY
mLHg/BAAqyEaxx9MmfqDx/k6Aa9me6kRRrOxgoEd7Vdb6eTfzgirT6hBNgZ6CYxu
leqpTvv1f0VsoYPLhfAlKp7Um7hiOMKadCJucNjd++G2qK3WENM29BLj4vwNT5xj
567BHXdTXCID3JAmGRE7qXJ8Tf7WUKhPDAuWU6Z27lMzAwmKTWHy03mnsDu3jGvq
pPE2z7bpJeV46HeAYN26G0CRyEAw+hAR+LWAgMlQ0P3YFFoA6TVsqzL5LfZx1+Hi
3I5kZu24GvXKqYZJaj93ZzY69EYpzmQNhdFjJ2nS4FVxRZsJ7JMz84T1xk9dzigT
Y/cQnWr9nvYNnue1JejUkzv2M4Q4OhiAAaS6XbCGKZ8wjYMM7UglCcA88acQyaeM
5doonWfDy/goKMNrHvgAC6e/HcXRJHVrv5kPXm9exeCEK8G3p1i3QRU4LHNjQo6V
DGlsdXarcey9YY/sN5EYYVZR8crvIe8ZDRiBJ83Ssi+YTgpM8cbg78SifeZdc6Oj
lrz2l2XA031W4v9oeM+Qzj9DHZlp+Fqlc92FUGa6sZ0NLwmTi/ZoAqKXZG27YxQV
F+eq9Px5QsrPm46K2J0iLjPridjKu3Rx2IKsgrdnyL6SO0YhFrHKTtXhz+P0j7tY
erE6FB4C7cEb59H6uAvJi856asZ2ivLYNq9pqUdH77Pc7H6lvwE=
=Ej5H
-----END PGP SIGNATURE-----
pgpQQbQ2aCbUp.pgp
Description: PGP signature
--- End Message ---
