[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989168: marked as done (unblock: ceph/14.2.21-1 (CVE-2021-3509, CVE-2021-3524, CVE-2021-3531))

Your message dated Fri, 28 May 2021 20:49:32 +0000
with message-id <E1lmjQC-0002Aa-5J@respighi.debian.org>
and subject line unblock ceph
has caused the Debian Bug report #989168,
regarding unblock: ceph/14.2.21-1 (CVE-2021-3509, CVE-2021-3524, CVE-2021-3531)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989168: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989168
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package ceph,

I've upgraded the package to upstream release 14.2.21, which contains the
subject's CVE fixes. The Ceph release notes are over here:

https://docs.ceph.com/en/latest/releases/nautilus/

As you can see, the upstream point release only contains the 3 CVE fixes,
and one minor fix reversion.

[ Reason ]
CVE fixes.

[ Impact ]
CVE holes...

[ Tests ]
As discussed when unblocking 14.2.20, Ceph upstream has a full unit and
functional test suite that they run regularly.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

Note that I have stripped-away the compiled JS code in the debdiff, as
otherwise, the debdiff would be too big.

Cheers,

Thomas Goirand (zigo)

unblock ceph/14.2.21-1

diff -Nru ceph-14.2.20/alpine/APKBUILD ceph-14.2.21/alpine/APKBUILD
--- ceph-14.2.20/alpine/APKBUILD	2021-04-19 16:13:23.000000000 +0200
+++ ceph-14.2.21/alpine/APKBUILD	2021-05-13 19:25:52.000000000 +0200
@@ -1,7 +1,7 @@
 # Contributor: John Coyle <dx9err@gmail.com>
 # Maintainer: John Coyle <dx9err@gmail.com>
 pkgname=ceph
-pkgver=14.2.20
+pkgver=14.2.21
 pkgrel=0
 pkgdesc="Ceph is a distributed object store and file system"
 pkgusers="ceph"
@@ -64,7 +64,7 @@
 	xmlstarlet
 	yasm
 "
-source="ceph-14.2.20.tar.bz2"
+source="ceph-14.2.21.tar.bz2"
 subpackages="
 	$pkgname-base
 	$pkgname-common
@@ -117,7 +117,7 @@
 _udevrulesdir=/etc/udev/rules.d
 _python_sitelib=/usr/lib/python2.7/site-packages
 
-builddir=$srcdir/ceph-14.2.20
+builddir=$srcdir/ceph-14.2.21
 
 build() {
 	export CEPH_BUILD_VIRTUALENV=$builddir
diff -Nru ceph-14.2.20/ceph.spec ceph-14.2.21/ceph.spec
--- ceph-14.2.20/ceph.spec	2021-04-19 16:13:23.000000000 +0200
+++ ceph-14.2.21/ceph.spec	2021-05-13 19:25:52.000000000 +0200
@@ -109,7 +109,7 @@
 # main package definition
 #################################################################################
 Name:		ceph
-Version:	14.2.20
+Version:	14.2.21
 Release:	0%{?dist}
 %if 0%{?fedora} || 0%{?rhel}
 Epoch:		2
@@ -125,7 +125,7 @@
 Group:		System/Filesystems
 %endif
 URL:		http://ceph.com/
-Source0:	%{?_remote_tarball_prefix}ceph-14.2.20.tar.bz2
+Source0:	%{?_remote_tarball_prefix}ceph-14.2.21.tar.bz2
 %if 0%{?suse_version}
 # _insert_obs_source_lines_here
 ExclusiveArch:  x86_64 aarch64 ppc64le s390x
@@ -1142,7 +1142,7 @@
 # common
 #################################################################################
 %prep
-%autosetup -p1 -n ceph-14.2.20
+%autosetup -p1 -n ceph-14.2.21
 
 %build
 # LTO can be enabled as soon as the following GCC bug is fixed:
diff -Nru ceph-14.2.20/CMakeLists.txt ceph-14.2.21/CMakeLists.txt
--- ceph-14.2.20/CMakeLists.txt	2021-04-19 16:11:15.000000000 +0200
+++ ceph-14.2.21/CMakeLists.txt	2021-05-13 19:23:08.000000000 +0200
@@ -1,7 +1,7 @@
 cmake_minimum_required(VERSION 3.5.1)
 
 project(ceph CXX C ASM)
-set(VERSION 14.2.20)
+set(VERSION 14.2.21)
 
 if(POLICY CMP0028)
   cmake_policy(SET CMP0028 NEW)
diff -Nru ceph-14.2.20/debian/changelog ceph-14.2.21/debian/changelog
--- ceph-14.2.20/debian/changelog	2021-04-21 10:02:07.000000000 +0200
+++ ceph-14.2.21/debian/changelog	2021-05-27 12:04:21.000000000 +0200
@@ -1,3 +1,13 @@
+ceph (14.2.21-1) unstable; urgency=high
+
+  * New upstream release, resolving these:
+    - CVE-2021-3509: Cross Site Scripting via token Cookie (Closes: #988888).
+    - CVE-2021-3524: injection of HTTP headers via a CORS ExposeHeader tag in
+      the Ceph Storage RadosGW (Closes: #988889).
+    - CVE-2021-3531: RadosGW denial of service (crash) (Closes: #988890).
+
+ -- Thomas Goirand <zigo@debian.org>  Thu, 27 May 2021 12:04:21 +0200
+
 ceph (14.2.20-2) unstable; urgency=medium
 
   * Add allow-bgp-to-host.patch.
diff -Nru ceph-14.2.20/src/.git_version ceph-14.2.21/src/.git_version
--- ceph-14.2.20/src/.git_version	2021-04-19 16:13:23.000000000 +0200
+++ ceph-14.2.21/src/.git_version	2021-05-13 19:25:52.000000000 +0200
@@ -1,2 +1,2 @@
-36274af6eb7f2a5055f2d53ad448f2694e9046a0
-v14.2.20
+5ef401921d7a88aea18ec7558f7f9374ebd8f5a6
+v14.2.21
diff -Nru ceph-14.2.20/src/pybind/mgr/dashboard/controllers/docs.py ceph-14.2.21/src/pybind/mgr/dashboard/controllers/docs.py
--- ceph-14.2.20/src/pybind/mgr/dashboard/controllers/docs.py	2021-04-19 16:11:15.000000000 +0200
+++ ceph-14.2.21/src/pybind/mgr/dashboard/controllers/docs.py	2021-05-13 19:23:08.000000000 +0200
@@ -3,8 +3,7 @@
 
 import cherrypy
 
-from . import Controller, BaseController, Endpoint, ENDPOINT_MAP, \
-    allow_empty_body
+from . import Controller, BaseController, Endpoint, ENDPOINT_MAP
 from .. import logger, mgr
 
 from ..tools import str_to_bool
@@ -366,31 +365,13 @@
     def api_all_json(self):
         return self._gen_spec(True, "/api")
 
-    def _swagger_ui_page(self, all_endpoints=False, token=None):
+    def _swagger_ui_page(self, all_endpoints=False):
         base = cherrypy.request.base
         if all_endpoints:
             spec_url = "{}/docs/api-all.json".format(base)
         else:
             spec_url = "{}/docs/api.json".format(base)
 
-        auth_header = cherrypy.request.headers.get('authorization')
-        auth_cookie = cherrypy.request.cookie['token']
-        jwt_token = ""
-        if auth_cookie is not None:
-            jwt_token = auth_cookie.value
-        elif auth_header is not None:
-            scheme, params = auth_header.split(' ', 1)
-            if scheme.lower() == 'bearer':
-                jwt_token = params
-        else:
-            if token is not None:
-                jwt_token = token
-
-        api_key_callback = """, onComplete: () => {{
-                        ui.preauthorizeApiKey('jwt', '{}');
-                    }}
-        """.format(jwt_token)
-
         page = """
         <!DOCTYPE html>
         <html>
@@ -431,23 +412,16 @@
                         SwaggerUIBundle.presets.apis
                     ],
                     layout: "BaseLayout"
-                    {}
                 }})
                 window.ui = ui
             }}
         </script>
         </body>
         </html>
-        """.format(spec_url, api_key_callback)
+        """.format(spec_url)
 
         return page
 
     @Endpoint(json_response=False)
     def __call__(self, all_endpoints=False):
         return self._swagger_ui_page(all_endpoints)
-
-    @Endpoint('POST', path="/", json_response=False,
-              query_params="{all_endpoints}")
-    @allow_empty_body
-    def _with_token(self, token, all_endpoints=False):
-        return self._swagger_ui_page(all_endpoints, token)
diff -Nru ceph-14.2.20/src/pybind/mgr/dashboard/frontend/dist/en-US/index.html ceph-14.2.21/src/pybind/mgr/dashboard/frontend/dist/en-US/index.html
--- ceph-14.2.20/src/pybind/mgr/dashboard/frontend/dist/en-US/index.html	2021-04-19 16:16:38.000000000 +0200
+++ ceph-14.2.21/src/pybind/mgr/dashboard/frontend/dist/en-US/index.html	2021-05-13 19:28:13.000000000 +0200
@@ -3,10 +3,9 @@
 <head>
   <meta charset="utf-8">
   <title>Ceph</title>
-  <base href="/">
 
   <script>
-    window['base-href'] = window.location.pathname;
+    document.write('<base href="' + document.location+ '" />');
   </script>
 
   <meta name="viewport" content="width=device-width, initial-scale=1">
@@ -25,5 +24,5 @@
   </noscript>
 
   <cd-root></cd-root>
-<script type="text/javascript" src="runtime.ff444394af058f159c51.js"></script><script type="text/javascript" src="polyfills.f31db31652a3fd9f4bca.js"></script><script type="text/javascript" src="scripts.fc88ef4a23399c760d0b.js"></script><script type="text/javascript" src="main.a755488a34fa64d1b79f.js"></script></body>
+<script type="text/javascript" src="runtime.ff444394af058f159c51.js"></script><script type="text/javascript" src="polyfills.f31db31652a3fd9f4bca.js"></script><script type="text/javascript" src="scripts.fc88ef4a23399c760d0b.js"></script><script type="text/javascript" src="main.a8acf27ca1415ab0d94b.js"></script></body>
 </html>
diff -Nru ceph-14.2.20/src/pybind/mgr/dashboard/frontend/src/app/app.module.ts ceph-14.2.21/src/pybind/mgr/dashboard/frontend/src/app/app.module.ts
--- ceph-14.2.20/src/pybind/mgr/dashboard/frontend/src/app/app.module.ts	2021-04-19 16:11:15.000000000 +0200
+++ ceph-14.2.21/src/pybind/mgr/dashboard/frontend/src/app/app.module.ts	2021-05-13 19:23:08.000000000 +0200
@@ -1,4 +1,3 @@
-import { APP_BASE_HREF } from '@angular/common';
 import { HTTP_INTERCEPTORS, HttpClientModule } from '@angular/common/http';
 import {
   ErrorHandler,
@@ -59,10 +58,6 @@
       multi: true
     },
     {
-      provide: APP_BASE_HREF,
-      useValue: window['base-href']
-    },
-    {
       provide: TRANSLATIONS,
       useFactory: (locale) => {
         locale = locale || environment.default_lang;
diff -Nru ceph-14.2.20/src/pybind/mgr/dashboard/frontend/src/index.html ceph-14.2.21/src/pybind/mgr/dashboard/frontend/src/index.html
--- ceph-14.2.20/src/pybind/mgr/dashboard/frontend/src/index.html	2021-04-19 16:11:15.000000000 +0200
+++ ceph-14.2.21/src/pybind/mgr/dashboard/frontend/src/index.html	2021-05-13 19:23:08.000000000 +0200
@@ -3,10 +3,9 @@
 <head>
   <meta charset="utf-8">
   <title>Ceph</title>
-  <base href="/">
 
   <script>
-    window['base-href'] = window.location.pathname;
+    document.write('<base href="' + document.location+ '" />');
   </script>
 
   <meta name="viewport" content="width=device-width, initial-scale=1">
diff -Nru ceph-14.2.20/src/rgw/rgw_cors.cc ceph-14.2.21/src/rgw/rgw_cors.cc
--- ceph-14.2.20/src/rgw/rgw_cors.cc	2021-04-19 16:11:15.000000000 +0200
+++ ceph-14.2.21/src/rgw/rgw_cors.cc	2021-05-13 19:23:08.000000000 +0200
@@ -148,8 +148,9 @@
     if (s.length() > 0)
       s.append(",");
     // these values are sent to clients in a 'Access-Control-Expose-Headers'
-    // response header, so we escape '\n' to avoid header injection
-    boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n");
+    // response header, so we escape '\n' and '\r' to avoid header injection
+    std::string tmp = boost::replace_all_copy(header, "\n", "\\n");
+    boost::replace_all_copy(std::back_inserter(s), tmp, "\r", "\\r");
   }
 }
 
diff -Nru ceph-14.2.20/src/rgw/rgw_rest_swift.cc ceph-14.2.21/src/rgw/rgw_rest_swift.cc
--- ceph-14.2.20/src/rgw/rgw_rest_swift.cc	2021-04-19 16:11:15.000000000 +0200
+++ ceph-14.2.21/src/rgw/rgw_rest_swift.cc	2021-05-13 19:23:08.000000000 +0200
@@ -2545,6 +2545,9 @@
     return false;
   } else if (subdir_name.back() == '/') {
     subdir_name.pop_back();
+    if (subdir_name.empty()) {
+      return false;
+    }
   }
 
   rgw_obj obj(s->bucket, std::move(subdir_name));
diff -Nru ceph-14.2.20/src/test/debian-jessie/debian/changelog ceph-14.2.21/src/test/debian-jessie/debian/changelog
--- ceph-14.2.20/src/test/debian-jessie/debian/changelog	2021-04-21 10:02:07.000000000 +0200
+++ ceph-14.2.21/src/test/debian-jessie/debian/changelog	2021-05-27 12:04:21.000000000 +0200
@@ -1,3 +1,13 @@
+ceph (14.2.21-1) unstable; urgency=high
+
+  * New upstream release, resolving these:
+    - CVE-2021-3509: Cross Site Scripting via token Cookie (Closes: #988888).
+    - CVE-2021-3524: injection of HTTP headers via a CORS ExposeHeader tag in
+      the Ceph Storage RadosGW (Closes: #988889).
+    - CVE-2021-3531: RadosGW denial of service (crash) (Closes: #988890).
+
+ -- Thomas Goirand <zigo@debian.org>  Thu, 27 May 2021 12:04:21 +0200
+
 ceph (14.2.20-2) unstable; urgency=medium
 
   * Add allow-bgp-to-host.patch.
diff -Nru ceph-14.2.20/src/test/ubuntu-16.04/debian/changelog ceph-14.2.21/src/test/ubuntu-16.04/debian/changelog
--- ceph-14.2.20/src/test/ubuntu-16.04/debian/changelog	2021-04-21 10:02:07.000000000 +0200
+++ ceph-14.2.21/src/test/ubuntu-16.04/debian/changelog	2021-05-27 12:04:21.000000000 +0200
@@ -1,3 +1,13 @@
+ceph (14.2.21-1) unstable; urgency=high
+
+  * New upstream release, resolving these:
+    - CVE-2021-3509: Cross Site Scripting via token Cookie (Closes: #988888).
+    - CVE-2021-3524: injection of HTTP headers via a CORS ExposeHeader tag in
+      the Ceph Storage RadosGW (Closes: #988889).
+    - CVE-2021-3531: RadosGW denial of service (crash) (Closes: #988890).
+
+ -- Thomas Goirand <zigo@debian.org>  Thu, 27 May 2021 12:04:21 +0200
+
 ceph (14.2.20-2) unstable; urgency=medium
 
   * Add allow-bgp-to-host.patch.
diff -Nru ceph-14.2.20/src/test/ubuntu-18.04/debian/changelog ceph-14.2.21/src/test/ubuntu-18.04/debian/changelog
--- ceph-14.2.20/src/test/ubuntu-18.04/debian/changelog	2021-04-21 10:02:07.000000000 +0200
+++ ceph-14.2.21/src/test/ubuntu-18.04/debian/changelog	2021-05-27 12:04:21.000000000 +0200
@@ -1,3 +1,13 @@
+ceph (14.2.21-1) unstable; urgency=high
+
+  * New upstream release, resolving these:
+    - CVE-2021-3509: Cross Site Scripting via token Cookie (Closes: #988888).
+    - CVE-2021-3524: injection of HTTP headers via a CORS ExposeHeader tag in
+      the Ceph Storage RadosGW (Closes: #988889).
+    - CVE-2021-3531: RadosGW denial of service (crash) (Closes: #988890).
+
+ -- Thomas Goirand <zigo@debian.org>  Thu, 27 May 2021 12:04:21 +0200
+
 ceph (14.2.20-2) unstable; urgency=medium
 
   * Add allow-bgp-to-host.patch.

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: