A security issue fixed upstream in Ceph has been announced on April 14: https://www.openwall.com/lists/oss-security/2021/04/14/2 Mageia 8 is also affected.
Status comment: (none) => Patches available from upstreamWhiteboard: (none) => MGA8TOO
Thanks, I'll have a look and fix.
Bug fix release 15.2.11 landing in updates_testing, with the included security fixes as well as other bug fixes. NB: Cauldron will follow, but I'd like to move to 16.0.* version on it. Suggested advisory: ======================== Updated ceph packages fix security vulnerabilities CVE-2021-20288. An authentication flaw was found in ceph. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. References: https://www.openwall.com/lists/oss-security/2021/04/14/2 ======================== Updated packages in core/updates_testing: ======================== ceph-mgr-15.2.11-1.mga8 ceph-15.2.11-1.mga8 ceph-radosgw-15.2.11-1.mga8 ceph-osd-15.2.11-1.mga8 lib64ceph2-15.2.11-1.mga8 lib64rados2-15.2.11-1.mga8 lib64radosgw2-15.2.11-1.mga8 lib64rgw2-15.2.11-1.mga8 ceph-rbd-15.2.11-1.mga8 lib64rbd1-15.2.11-1.mga8 ceph-mon-15.2.11-1.mga8 ceph-mds-15.2.11-1.mga8 lib64radosstriper1-15.2.11-1.mga8 python3-ceph-15.2.11-1.mga8 ceph-fuse-15.2.11-1.mga8 lib64rados-devel-15.2.11-1.mga8 ceph-immutable-object-cache-15.2.11-1.mga8 python3-rbd-15.2.11-1.mga8 python3-rgw-15.2.11-1.mga8 python3-rados-15.2.11-1.mga8 lib64ceph-devel-15.2.11-1.mga8 lib64rgw-devel-15.2.11-1.mga8 lib64radosstriper-devel-15.2.11-1.mga8 lib64rbd-devel-15.2.11-1.mga8 lib64radosgw-devel-15.2.11-1.mga8 from ceph-15.2.11-1.mga8.src.rpm
CVE: (none) => CVE-2021-20288CC: (none) => eatdirtAssignee: eatdirt => qa-bugs
Status comment: Patches available from upstream => (none)CC: (none) => ouaurelienVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)
QA last saw this in Bug 28538. While Len Lawrence gave it a valiant try, it was eventually concluded that testing this was beyond the scope of qa, so we passed it on the basis of a clean install. Doing the same thing here. Installed the above packages and dependencies in a VirtualBox MGA8-64 Plasma guest, 148 packages in all. No installation issues. Used the package list from Comment 2 in qarepo, again with no installation issues. Giving this a 64-bit OK, and validating. Advisory in Comment 2.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0207.html
Status: NEW => RESOLVEDResolution: (none) => FIXED