Hi Salvatore Bonaccorso <car...@debian.org> writes: > Hi, > > the following vulnerability was published for ceph. > > CVE-2018-7262[0]: > |Malformed HTTP requests handled in rgw_civetweb.cc:RGW::init_env() can > |lead to NULL pointer dereference
Thanks for the information. I backported the upstream fix to the version in stretch and I'm currently in the process of building the package (takes several hours). How do you want me to proceed if the package builds fine and testing does not result in any errors? This may lead to a crash of the RGW process if sent a malformed HTTP header which could result in a denial of service. Does this warrant an upload to security or should this only be fixed via a stable point release? Do you want to review the debdiff before the upload? The debdiff of the test package I'm currently building is attached to this mail. FYI RGW is the part of Ceph which implements the Amazon S3 API on top of the Ceph distributed storage. Gaudenz
ceph_10.2.5-7.2+deb9u1.debdiff
Description: Binary data
-- PGP: 836E 4F81 EFBB ADA7 0852 79BF A97A 7702 BAF9 1EF5
signature.asc
Description: PGP signature