Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3551.2 ceph security update 22 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ceph Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Existing Account Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-1129 CVE-2018-1128 CVE-2018-1086 CVE-2017-7519 Reference: ESB-2017.2808 ESB-2018.1103 Original Bulletin: http://www.debian.org/security/2018/dsa-4339 https://lists.debian.org/debian-security-announce/2018/msg00274.html Comment: This bulletin contains two (2) Debian security advisories. Revision History: November 22 2018: Added DSA-4339-2 update November 14 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4339-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 13, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : ceph CVE ID : CVE-2017-7519 CVE-2018-1086 CVE-2018-1128 CVE-2018-1129 Multiple vulnerabilities were discovered in Ceph, a distributed storage and file system: The cephx authentication protocol was suspectible to replay attacks and calculated signatures incorrectly, "ceph mon" did not validate capabilities for pool operations (resulting in potential corruption or deletion of snapshot images) and a format string vulnerability in libradosstriper could result in denial of service. For the stable distribution (stretch), these problems have been fixed in version 10.2.11-1. We recommend that you upgrade your ceph packages. For the detailed security status of ceph please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ceph Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlvrRh8ACgkQEMKTtsN8 TjZEMQ//Q+eJMDB8yf5vNc8V7ilNffYAWjhAH17XqhRnS67I1WeH5vfypdN9XGNa tipNdP33uFt9NuUl2+bP7KBV3G/Ie/SaFibERmBVg+WRV7y0mwBKt5F8WA9JFelH lHBSBK0v0e9qK9eM96sOZx3QpTU1wxdDGPzgqiUeb6aosIx0J3cvjvwt/+co1y4n 7EFwG+Ujro5UBC8XzrDIxoCJas2FKFzcPVyKvRQvrY9Iz8RJ3FdomAkzSXwQLGGP CRIX4GVN77t2NFhgvZk0C6/YL6JvBjdKcXb9KoOQSUWvh+dIlvIaV4xk2CBNIi/y Fy+o3tG/0YIIjTsDkEdrBykRsaJnZUA4r4ws7gstbXPhBrISXliI75yIro47Smh+ TOW94uY3cVl4b6LdOeIlmNIJ3T1ck8QJ28ZAoWW/zFBJIlTqVqiOCOU1veTZkLI3 ScwQBDvUlrP2AppH51D/VHzsEcVCekRQsXKWaV9mlHr+Q37QJUXwsGjHNHgGG1GW cGhOm5Mjwq7bMsBIJxjeu3LVUig3++D+MGwkCdr0lOdIqbe7qhuZzkJj69S1baVm YxHUbVqtBBEKORYH7ItMQoQ9NRzTdpwm48nhH7VHnibD8jFZ9o0VEWYupf1DEHkM 8n/nnbaE1KhptV5Q37z3jkhOFR+99XrMV9BJUkzqxKPFXy2m1qo= =Sruu - -----END PGP SIGNATURE----- - --------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4339-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 21, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : ceph Debian Bug : 913909 The update for ceph issued as DSA-4339-1 caused a build regression for the i386 builds. Updated packages are now available to address this issue. For reference, the original advisory text follows. Multiple vulnerabilities were discovered in Ceph, a distributed storage and file system: The cephx authentication protocol was susceptible to replay attacks and calculated signatures incorrectly, "ceph mon" did not validate capabilities for pool operations (resulting in potential corruption or deletion of snapshot images) and a format string vulnerability in libradosstriper could result in denial of service. For the stable distribution (stretch), this problem has been fixed in version 10.2.11-2. We recommend that you upgrade your ceph packages. For the detailed security status of ceph please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ceph Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlv10tNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TnSg/9EWpuEYFq8CqFXFKz0GQ7pvOvJXZzg8VRRdGtSqil/yOGLkia7X0C4aox C8zF62JXyALlRjyR7ti2U9RD7E5D+r2jSWjaxHzbHTDYPMQI0U7bww1T2cdj9yze zYl1pebLvWwhnhRF9c1mG1g2CcxHtjU8zxGRKjsjupjF0v/bFL+IN1OcyjEeCVG5 yDwjU8h9ux3FbLxxSGHLl8Yzk/Q0WAOo2KcxIva/0mTZ5zDxwJlltbkw0pC8gcKd RQFU+J88oOUbNF4n2HxK3OATJhiOmrQ8xBy4E50AE7GuRDoJYcDfSmEkBVBwxOTN QmTNxyd/vooUkF6eXhJHJ45cm8QWALoYH4MzPVrBTYLx985WVQ2Q4pa1vv7hPfz6 kllnsJO9ZjyT4POvGihfR3W0y2Cb8tTe/x0WHci/0uTEBvnhAIrUpjfTO30ajGXe QitdTxZA955O/JtpdwyqRGywZXJyrtjJTqaZeQA1G2bKC9e6h19kwi2WX8qYXTdQ N3gK//BeWkaE6EylB6c6aionmN5AuVEd5jmZ+GO1BfOq3/oRSKfQcDJly6JG7UaM 0jpT85eIYiNQc6JvZ+78NwxrqVgAnKq8F7ejsT4FQyQkZxcjljyyix+y6iAPhAut bunmOl3Q/U8JE8FzDuJA/rKXhXdSGCUMytTwuXo1pLY+m5JBz/c= =UHIj - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW/YeAmaOgq3Tt24GAQjOGg/+M5bHY/RldAuqzVVuhas7Lr2SEd6ppfVU XSQve2iBbwWYz9ZiPP/onheCOdZIe5AfTYfVMWNfJfd/2cMAoNBRcEHA1qGnhL8q 5Bs1ye4ezXes4nM2TBmv7GK15KNFdoEeFbXnAei3iWPMf2iCxKezdigBzLhTDyp4 Tam1b6fOo0m0woz6zXTq1ED3y5qFdpzqwkKtqaSUflIW1ZgIzAzKgnr0v/b0st7v HnFKNk4SEokmMOTdcwfp9FnhiDRBqyrBhNoZ4RZ3M0OhESk/F2EsYtM2yz31a39w vbtGP/VYz1FhFQHwXzfM6dct2YWlS5ms8t+NDOaenIzh1iZ453j/wTc8RqrpHAGz jScZZLLKxS2dnzTFdrXsj9SalJ++4uIn0gvxxtb4/AjnvH1Lcb6K/NqDIR4FvwGo 8Ln0lPpuqzLDCtuC7uE7iD/BpFbmgGVjQKgwZM1/Vepnqy9gb4wdwTBU3Y4j8imr aO1foSXZsOs0gQdEGMd49vvao3WWGwMzTkPIpZJNZLib93bRLM47BjzmwiKsxpEl 5+dhncJCKczTR/yUriQkf8oZ9l7p71Smc9Nh0xwt+04dGl+UcAFSSi2tpUGp7u33 2bhYsdAgTNqPXU4utkjEB0ThMJdS31RKQdFHxwH82GAX0DGAIHNGhk9G4XYgUJlW UOTbp7rw8iA= =05pc -----END PGP SIGNATURE-----