Bugzilla – Bug 1007217
VUL-0: CVE-2016-8626: ceph: RGW Denial of Service by sending POST object with null conditions
Last modified: 2018-04-26 22:36:37 UTC
Flaw was found using which attacker can send post object with null conditions
to ceph rados gateway which would lead to crash of ceph-radosgw service resulting
Denial of Service.
Submit that fixes this and reproducer script available at: http://tracker.ceph.com/issues/17635
bugbot adjusting priority
The jewel fix is https://github.com/ceph/ceph/pull/11662 which has been merged upstream and will be included in the upcoming 10.2.4 release.
The hammer fix is https://github.com/ceph/ceph/pull/11809 which has been staged, but not yet merged. Still, I hope to get it into the upcoming 0.94.10 release.
SES4: fix has been merged and will be in M6
SES3: fix will be included in the next maintenance update (as soon as upstream releases 10.2.4)
SES2.1: fix will be included in the next maintenance update (as soon as upstream releases 0.94.10 and assuming there are no unexpected difficulties getting the upstream fix merged in time)
Upstream update: hammer backport was just merged and will be included in 0.94.10
The patch just made it into our downstream ses3 branch. Assuming the updated branch builds and passes our CI, it will be submitted as a maintenance update to SES3.
SES2.1 is still a WIP.
SUSE-SU-2017:0758-1: An update that solves one vulnerability and has 6 fixes is now available.
Category: security (moderate)
Bug References: 1007217,1008435,1008894,1012100,1014338,1015748,1019616
CVE References: CVE-2016-8626
SUSE Enterprise Storage 3 (src): ceph-10.2.5+git.1485186288.4e3c6c4-12.2, ceph-test-10.2.5+git.1485186288.4e3c6c4-12.2
was released for storage 4 (but without this tracker bug being referenced), 10.2.5 ceph version is fixed.
adjusted tracking to exclude SUSE:SLE-11-SP3:Update