Bug 28928

Summary: ceph new security issues CVE-2021-3509, CVE-2021-3524, and CVE-2021-3531
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, eatdirt, ouaurelien, sysadmin-bugs
Version: 8Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: ceph-15.2.11-1.mga8.src.rpm CVE: CVE-2021-3524
Status comment:

Description David Walser 2021-05-15 00:35:15 CEST 
Security issues fixed upstream in Ceph have been announced today (May 14):
https://www.openwall.com/lists/oss-security/2021/05/14/4
https://www.openwall.com/lists/oss-security/2021/05/14/5

Mageia 8 is also affected.
David Walser 2021-05-15 00:35:26 CEST

Status comment: (none) => Patches available from upstream
Whiteboard: (none) => MGA8TOO

Comment 1 Chris Denice 2021-05-15 21:49:00 CEST 
Thanks. We're not affected as we don't compile dashboard, but I'll push a new version release as soon as the fix has been merged.

Cheers,
Chris.
Comment 2 Chris Denice 2021-05-22 21:16:57 CEST 
Here we go, bug fix release 15.2.12 landing in updates_testing, with the included security fixes.


Suggested advisory:
========================

Updated ceph packages fix security vulnerability on rgw CVE-2021-3524 (as well as CVE-2021-3509 and CVE-2021-3531 from which mageia was not affected).


References:
https://docs.ceph.com/en/latest/security/CVE-2021-3524/
========================

Updated packages in core/updates_testing:
========================
ceph-mgr-15.2.12-1.mga8
ceph-15.2.12-1.mga8
ceph-radosgw-15.2.12-1.mga8
ceph-osd-15.2.12-1.mga8
lib64ceph2-15.2.12-1.mga8
lib64rados2-15.2.12-1.mga8
lib64radosgw2-15.2.12-1.mga8
lib64rgw2-15.2.12-1.mga8
ceph-rbd-15.2.12-1.mga8
lib64rbd1-15.2.12-1.mga8
ceph-mon-15.2.12-1.mga8
ceph-mds-15.2.12-1.mga8
lib64radosstriper1-15.2.12-1.mga8
python3-ceph-15.2.12-1.mga8
ceph-fuse-15.2.12-1.mga8
lib64rados-devel-15.2.12-1.mga8
ceph-immutable-object-cache-15.2.12-1.mga8
python3-rbd-15.2.12-1.mga8
python3-rgw-15.2.12-1.mga8
python3-rados-15.2.12-1.mga8
lib64ceph-devel-15.2.12-1.mga8
lib64rgw-devel-15.2.12-1.mga8
lib64radosstriper-devel-15.2.12-1.mga8
lib64rbd-devel-15.2.12-1.mga8
lib64radosgw-devel-15.2.12-1.mga8

from ceph-15.2.12-1.mga8.src.rpm

Assignee: eatdirt => qa-bugs
CVE: (none) => CVE-2021-3509 CVE-2021-3531 CVE-2021-3524
CC: (none) => eatdirt

Comment 3 Aurelien Oudelet 2021-05-23 16:25:10 CEST 
Take this to Mageia 8 bug.

Source RPM: ceph-16.2.1-1.mga9.src.rpm => ceph-15.2.11-1.mga8.src.rpm
Version: Cauldron => 8
CC: (none) => ouaurelien
Whiteboard: MGA8TOO => (none)
Status comment: Patches available from upstream => (none)

Comment 4 Thomas Andrews 2021-05-26 02:10:48 CEST 
Installed ceph 15.2.11-1 packages and the numerous dependncies that came with them in a Virtualbox 64-bit MGA8 Plasma guest. Used the above list in qarepo, with no installation issues.

As with Bug 28804 and 28538, testing is deemed beyond QA abilities, so I'm giving this an OK based on a clean install, and validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Comment 5 Aurelien Oudelet 2021-05-26 18:25:07 CEST 
type: security
subject: Updated ceph packages fix a security vulnerability
CVE:
 - CVE-2021-3524
src:
  8:
   core:
     - ceph-15.2.12-1.mga8
description: |
  Updated ceph packages fix security vulnerability on rgw CVE-2021-3524 (as well
  as CVE-2021-3509 and CVE-2021-3531 from which Mageia was not affected).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=28928
 - https://docs.ceph.com/en/latest/security/CVE-2021-3524/
 - https://www.openwall.com/lists/oss-security/2021/05/14/4
 - https://www.openwall.com/lists/oss-security/2021/05/14/5

Keywords: (none) => advisory

Aurelien Oudelet 2021-05-26 18:25:56 CEST

Status comment: (none) => We are not affected by CVE-2021-3509 and CVE-2021-3531
CVE: CVE-2021-3509 CVE-2021-3531 CVE-2021-3524 => CVE-2021-3524
Summary: ceph new security issues CVE-2021-3509 and CVE-2021-3531 => ceph new security issues CVE-2021-3524

David Walser 2021-05-26 18:45:19 CEST

Status comment: We are not affected by CVE-2021-3509 and CVE-2021-3531 => (none)
Summary: ceph new security issues CVE-2021-3524 => ceph new security issues CVE-2021-3509, CVE-2021-3524, and CVE-2021-3531

Comment 6 Aurelien Oudelet 2021-05-26 18:57:42 CEST 
So adv must be modified per last David comment.

Keywords: advisory => (none)

Comment 7 David Walser 2021-05-26 19:03:10 CEST 
Well, not really per that, but it would be better to give some detail for the security issue we *are* fixing, like we usually do.  The ones we *aren't* fixing don't need to be mentioned or included in the references.

As for the bug changes, status comment is only for unfixed security bugs.  It should be cleared once something is assigned to QA.  I kept everything listed in the bug title to make it easier for me to see that these CVEs have already been addressed, when I encounter them again in the future.
Comment 8 Aurelien Oudelet 2021-05-26 19:05:09 CEST 
Thanks for your advice.
Comment 9 Mageia Robot 2021-05-27 15:44:44 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0223.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED