ESB-2018.3551.2 - UPDATE [Debian] ceph: Multiple vulnerabilities 2018-11-22

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.3551.2
                           ceph security update
                             22 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ceph
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Increased Privileges -- Existing Account            
                   Denial of Service    -- Existing Account            
                   Unauthorised Access  -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1129 CVE-2018-1128 CVE-2018-1086
                   CVE-2017-7519  

Reference:         ESB-2017.2808
                   ESB-2018.1103

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4339
   https://lists.debian.org/debian-security-announce/2018/msg00274.html

Comment: This bulletin contains two (2) Debian security advisories.

Revision History:  November 22 2018: Added DSA-4339-2 update
                   November 14 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4339-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 13, 2018                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : ceph
CVE ID         : CVE-2017-7519 CVE-2018-1086 CVE-2018-1128 CVE-2018-1129

Multiple vulnerabilities were discovered in Ceph, a distributed storage
and file system: The cephx authentication protocol was suspectible to
replay attacks and calculated signatures incorrectly, "ceph mon" did not
validate capabilities for pool operations (resulting in potential
corruption or deletion of snapshot images) and a format string
vulnerability in libradosstriper could result in denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 10.2.11-1.

We recommend that you upgrade your ceph packages.

For the detailed security status of ceph please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ceph

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlvrRh8ACgkQEMKTtsN8
TjZEMQ//Q+eJMDB8yf5vNc8V7ilNffYAWjhAH17XqhRnS67I1WeH5vfypdN9XGNa
tipNdP33uFt9NuUl2+bP7KBV3G/Ie/SaFibERmBVg+WRV7y0mwBKt5F8WA9JFelH
lHBSBK0v0e9qK9eM96sOZx3QpTU1wxdDGPzgqiUeb6aosIx0J3cvjvwt/+co1y4n
7EFwG+Ujro5UBC8XzrDIxoCJas2FKFzcPVyKvRQvrY9Iz8RJ3FdomAkzSXwQLGGP
CRIX4GVN77t2NFhgvZk0C6/YL6JvBjdKcXb9KoOQSUWvh+dIlvIaV4xk2CBNIi/y
Fy+o3tG/0YIIjTsDkEdrBykRsaJnZUA4r4ws7gstbXPhBrISXliI75yIro47Smh+
TOW94uY3cVl4b6LdOeIlmNIJ3T1ck8QJ28ZAoWW/zFBJIlTqVqiOCOU1veTZkLI3
ScwQBDvUlrP2AppH51D/VHzsEcVCekRQsXKWaV9mlHr+Q37QJUXwsGjHNHgGG1GW
cGhOm5Mjwq7bMsBIJxjeu3LVUig3++D+MGwkCdr0lOdIqbe7qhuZzkJj69S1baVm
YxHUbVqtBBEKORYH7ItMQoQ9NRzTdpwm48nhH7VHnibD8jFZ9o0VEWYupf1DEHkM
8n/nnbaE1KhptV5Q37z3jkhOFR+99XrMV9BJUkzqxKPFXy2m1qo=
=Sruu
- -----END PGP SIGNATURE-----

- ---------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4339-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 21, 2018                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : ceph
Debian Bug     : 913909

The update for ceph issued as DSA-4339-1 caused a build regression for
the i386 builds. Updated packages are now available to address this
issue. For reference, the original advisory text follows.

Multiple vulnerabilities were discovered in Ceph, a distributed storage
and file system: The cephx authentication protocol was susceptible to
replay attacks and calculated signatures incorrectly, "ceph mon" did not
validate capabilities for pool operations (resulting in potential
corruption or deletion of snapshot images) and a format string
vulnerability in libradosstriper could result in denial of service.

For the stable distribution (stretch), this problem has been fixed in
version 10.2.11-2.

We recommend that you upgrade your ceph packages.

For the detailed security status of ceph please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/ceph

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlv10tNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TnSg/9EWpuEYFq8CqFXFKz0GQ7pvOvJXZzg8VRRdGtSqil/yOGLkia7X0C4aox
C8zF62JXyALlRjyR7ti2U9RD7E5D+r2jSWjaxHzbHTDYPMQI0U7bww1T2cdj9yze
zYl1pebLvWwhnhRF9c1mG1g2CcxHtjU8zxGRKjsjupjF0v/bFL+IN1OcyjEeCVG5
yDwjU8h9ux3FbLxxSGHLl8Yzk/Q0WAOo2KcxIva/0mTZ5zDxwJlltbkw0pC8gcKd
RQFU+J88oOUbNF4n2HxK3OATJhiOmrQ8xBy4E50AE7GuRDoJYcDfSmEkBVBwxOTN
QmTNxyd/vooUkF6eXhJHJ45cm8QWALoYH4MzPVrBTYLx985WVQ2Q4pa1vv7hPfz6
kllnsJO9ZjyT4POvGihfR3W0y2Cb8tTe/x0WHci/0uTEBvnhAIrUpjfTO30ajGXe
QitdTxZA955O/JtpdwyqRGywZXJyrtjJTqaZeQA1G2bKC9e6h19kwi2WX8qYXTdQ
N3gK//BeWkaE6EylB6c6aionmN5AuVEd5jmZ+GO1BfOq3/oRSKfQcDJly6JG7UaM
0jpT85eIYiNQc6JvZ+78NwxrqVgAnKq8F7ejsT4FQyQkZxcjljyyix+y6iAPhAut
bunmOl3Q/U8JE8FzDuJA/rKXhXdSGCUMytTwuXo1pLY+m5JBz/c=
=UHIj
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW/YeAmaOgq3Tt24GAQjOGg/+M5bHY/RldAuqzVVuhas7Lr2SEd6ppfVU
XSQve2iBbwWYz9ZiPP/onheCOdZIe5AfTYfVMWNfJfd/2cMAoNBRcEHA1qGnhL8q
5Bs1ye4ezXes4nM2TBmv7GK15KNFdoEeFbXnAei3iWPMf2iCxKezdigBzLhTDyp4
Tam1b6fOo0m0woz6zXTq1ED3y5qFdpzqwkKtqaSUflIW1ZgIzAzKgnr0v/b0st7v
HnFKNk4SEokmMOTdcwfp9FnhiDRBqyrBhNoZ4RZ3M0OhESk/F2EsYtM2yz31a39w
vbtGP/VYz1FhFQHwXzfM6dct2YWlS5ms8t+NDOaenIzh1iZ453j/wTc8RqrpHAGz
jScZZLLKxS2dnzTFdrXsj9SalJ++4uIn0gvxxtb4/AjnvH1Lcb6K/NqDIR4FvwGo
8Ln0lPpuqzLDCtuC7uE7iD/BpFbmgGVjQKgwZM1/Vepnqy9gb4wdwTBU3Y4j8imr
aO1foSXZsOs0gQdEGMd49vvao3WWGwMzTkPIpZJNZLib93bRLM47BjzmwiKsxpEl
5+dhncJCKczTR/yUriQkf8oZ9l7p71Smc9Nh0xwt+04dGl+UcAFSSi2tpUGp7u33
2bhYsdAgTNqPXU4utkjEB0ThMJdS31RKQdFHxwH82GAX0DGAIHNGhk9G4XYgUJlW
UOTbp7rw8iA=
=05pc
-----END PGP SIGNATURE-----

« Back to bulletins