[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#784373: [Ceph-maintainers] Bug#784373: jessie-pu: package ceph/0.80.9-2 (pre approval)

Control: clone 784373 -1
Control: retitle -1 jessie-pu: package ceph/0.80.7-2+deb8u1
Control: retitle 784373 jessie-pu: package ceph/0.80.11-1 (pre approval)

Hi 

Gaudenz Steinlin <gaudenz@debian.org> writes:

> Hi Julien
>
> Do you need any additional information? I would like to have a decision
> on this soon as I really want to get at least CVE-2015-5245 fixed in the
> next Debian stable release. This is a minor security issue which was
> defered by the Security Team to a stable update and there was no DSA
> issued for it.
>
> To be able to prepare the upload for the stable release I need to know
> if you agree to follow the upstream maintenance releases or if I have to
> do an upload with only the security issue fixed. If I got the timing
> right, the next point release is still scheduled for 24th January. So
> there is only little time left to prepare the upload.
>
> As this is now undecided for quite a long time I would even prefer a NACK
> to having this unresolved any longer if you don't feel comfortable with
> the idea of having the maintenance releases in stable. This way I at
> least know that I don't have to bother anymore.
>
> If you don't want to rush things but are in gernal fine with the idea.
> I'm also fine with only fixing the security bug now as the time is quite
> tight and uploading 0.80.11 for the Debian 8.4 point release.

As I did not get any feedback I have now uploaded ceph/0.80.7-2+deb8u1
with only the security bug fixed. I think this is really the minimum
that should go into the next stable point release and I don't think
there is any concern about this. I cloned the original bug report to
track this jessie-pu request. The debdiff to the version currently in
stable is attached. It's minimal.

I would still appreciate an answer on #784373. Even if it's just the
stable team does not currently have the resources to evaluate this
request and therefore declines to make an exception to the usual stable
update rules. This would not be the answer I had hoped for, but at least
I then know that I don't have to invest more time into the 0.80.X series
of ceph.

Gaudenz


diff -Nru ceph-0.80.7/debian/changelog ceph-0.80.7/debian/changelog
--- ceph-0.80.7/debian/changelog	2014-12-11 02:55:49.000000000 +0100
+++ ceph-0.80.7/debian/changelog	2016-01-15 10:42:14.000000000 +0100
@@ -1,3 +1,9 @@
+ceph (0.80.7-2+deb8u1) jessie; urgency=medium
+
+  * [61b5e0] Patch to fix CVE-2015-5245 applied from upstream (Closes: #798567)
+
+ -- Gaudenz Steinlin <gaudenz@debian.org>  Fri, 15 Jan 2016 10:41:27 +0100
+
 ceph (0.80.7-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru ceph-0.80.7/debian/gbp.conf ceph-0.80.7/debian/gbp.conf
--- ceph-0.80.7/debian/gbp.conf	2014-12-11 02:33:33.000000000 +0100
+++ ceph-0.80.7/debian/gbp.conf	2016-01-15 10:41:01.000000000 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-#debian-branch = experimental
+debian-branch = jessie-security
 pristine-tar = True
 
 [import-orig]
diff -Nru ceph-0.80.7/debian/patches/CVE-2015-5245.patch ceph-0.80.7/debian/patches/CVE-2015-5245.patch
--- ceph-0.80.7/debian/patches/CVE-2015-5245.patch	1970-01-01 01:00:00.000000000 +0100
+++ ceph-0.80.7/debian/patches/CVE-2015-5245.patch	2016-01-15 10:41:01.000000000 +0100
@@ -0,0 +1,35 @@
+From ad5507fe0bf72ed5bdf8353e315cc9092c740144 Mon Sep 17 00:00:00 2001
+From: Yehuda Sadeh <yehuda@redhat.com>
+Date: Thu, 30 Jul 2015 14:47:15 -0700
+Subject: [PATCH] rgw: url encode exposed bucket
+
+Fixes: #12537
+Don't send the bucket name back without url encoding it.
+
+Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
+
+The patch below is an adapted version for ceph 0.80.7 to only contain
+the necessary changes to fix this vulnerability. Neither the quoting 
+of the bucket name nor the missing \r are fixed.
+(see http://tracker.ceph.com/issues/9254 and http://tracker.ceph.com/issues/11860)
+
+---
+ src/rgw/rgw_rest.cc | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/src/rgw/rgw_rest.cc
++++ b/src/rgw/rgw_rest.cc
+@@ -272,8 +272,11 @@
+ {
+   int expose_bucket = g_conf->rgw_expose_bucket;
+   if (expose_bucket) {
+-    if (!s->bucket_name_str.empty())
+-      s->cio->print("Bucket: \"%s\"\n", s->bucket_name_str.c_str());
++    if (!s->bucket_name_str.empty()) {
++      string b;
++      url_encode(s->bucket_name_str, b);
++      s->cio->print("Bucket: \"%s\"\n", b.c_str());
++    }
+   }
+ }
+ 
diff -Nru ceph-0.80.7/debian/patches/series ceph-0.80.7/debian/patches/series
--- ceph-0.80.7/debian/patches/series	2014-12-11 02:33:47.000000000 +0100
+++ ceph-0.80.7/debian/patches/series	2016-01-15 10:41:01.000000000 +0100
@@ -14,6 +14,7 @@
 bash-completion.patch
 rbdmap1-mount.patch
 rbdmap2-hooks.patch
+CVE-2015-5245.patch
 
 ## Debian
 rbdmap3-lazyumount.patch

Attachment: signature.asc
Description: PGP signature

Reply to: