Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
da6b1dfb by Markus Koschany at 2021-08-11T15:24:11+02:00
Mark CVE-2020-25678, CVE-2021-20288, ceph as no-dsa for Stretch
and postpone CVE-2020-27781
CVE-2021-20288
The fix is to implement a new option to disallow unauthorized global_id reuse
and to make
a distinction between legacy clients and new clients. The risks are too high in
this case
to break setups which rely on the current behavior. For legacy clients like the
ones in Jessie the default behavior will be permissive for the foreseeable
future hence there is no need to implement a possibly disruptive change.
CVE-2020-25678
Sensitive information are only visible in debug mode.
A simple workaround would be to make the log files not world-readable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -44929,6 +44929,7 @@ CVE-2021-20289 (A flaw was found in RESTEasy in all
versions of RESTEasy up to 4
CVE-2021-20288 (An authentication flaw was found in ceph in versions before
14.2.20. W ...)
- ceph 14.2.20-1 (bug #986974)
[buster] - ceph <no-dsa> (Minor issue)
+ [stretch] - ceph <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/04/14/2
NOTE:
https://github.com/ceph/ceph/commit/059eabcc0ada81078a898cdc25cf72bf3d506ad0
NOTE:
https://github.com/ceph/ceph/commit/05b3b6a305ddbb56cc53bbeadf5866db4d785f49
@@ -56280,6 +56281,7 @@ CVE-2020-27782 (A flaw was found in the Undertow AJP
connector. Malicious reques
CVE-2020-27781 (User credentials can be manipulated and stolen by Native
CephFS consum ...)
- ceph 14.2.16-1 (bug #985670)
[buster] - ceph <no-dsa> (Minor issue)
+ [stretch] - ceph <postponed> (Minor issue)
NOTE: https://bugs.launchpad.net/manila/+bug/1904015
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1900109
NOTE:
https://github.com/ceph/ceph/commit/1b8a634fdcd94dfb3ba650793fb1b6d09af65e05
(octopus)
@@ -61826,6 +61828,7 @@ CVE-2020-25679
CVE-2020-25678 (A flaw was found in ceph in versions prior to 16.y.z where
ceph stores ...)
- ceph 14.2.18-1
[buster] - ceph <no-dsa> (Minor issue)
+ [stretch] - ceph <no-dsa> (Minor issue)
NOTE: https://tracker.ceph.com/issues/37503
NOTE: https://github.com/ceph/ceph/pull/38614 (v14.2.17)
CVE-2020-25677 (A flaw was found in Ceph-ansible v4.0.41 where it creates an
/etc/ceph ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da6b1dfbb9bd265a043ac20df4d21e0f7da5f205
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da6b1dfbb9bd265a043ac20df4d21e0f7da5f205
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
