Thanks. We're not affected as we don't compile dashboard, but I'll push a new version release as soon as the fix has been merged.

Cheers,
Chris.

Here we go, bug fix release 15.2.12 landing in updates_testing, with the included security fixes.


Suggested advisory:
========================

Updated ceph packages fix security vulnerability on rgw CVE-2021-3524 (as well as CVE-2021-3509 and CVE-2021-3531 from which mageia was not affected).


References:
https://docs.ceph.com/en/latest/security/CVE-2021-3524/
========================

Updated packages in core/updates_testing:
========================
ceph-mgr-15.2.12-1.mga8
ceph-15.2.12-1.mga8
ceph-radosgw-15.2.12-1.mga8
ceph-osd-15.2.12-1.mga8
lib64ceph2-15.2.12-1.mga8
lib64rados2-15.2.12-1.mga8
lib64radosgw2-15.2.12-1.mga8
lib64rgw2-15.2.12-1.mga8
ceph-rbd-15.2.12-1.mga8
lib64rbd1-15.2.12-1.mga8
ceph-mon-15.2.12-1.mga8
ceph-mds-15.2.12-1.mga8
lib64radosstriper1-15.2.12-1.mga8
python3-ceph-15.2.12-1.mga8
ceph-fuse-15.2.12-1.mga8
lib64rados-devel-15.2.12-1.mga8
ceph-immutable-object-cache-15.2.12-1.mga8
python3-rbd-15.2.12-1.mga8
python3-rgw-15.2.12-1.mga8
python3-rados-15.2.12-1.mga8
lib64ceph-devel-15.2.12-1.mga8
lib64rgw-devel-15.2.12-1.mga8
lib64radosstriper-devel-15.2.12-1.mga8
lib64rbd-devel-15.2.12-1.mga8
lib64radosgw-devel-15.2.12-1.mga8

from ceph-15.2.12-1.mga8.src.rpm

Assignee: eatdirt => qa-bugs
CVE: (none) => CVE-2021-3509 CVE-2021-3531 CVE-2021-3524
CC: (none) => eatdirt

Take this to Mageia 8 bug.

Source RPM: ceph-16.2.1-1.mga9.src.rpm => ceph-15.2.11-1.mga8.src.rpm
Version: Cauldron => 8
CC: (none) => ouaurelien
Whiteboard: MGA8TOO => (none)
Status comment: Patches available from upstream => (none)

Installed ceph 15.2.11-1 packages and the numerous dependncies that came with them in a Virtualbox 64-bit MGA8 Plasma guest. Used the above list in qarepo, with no installation issues.

As with Bug 28804 and 28538, testing is deemed beyond QA abilities, so I'm giving this an OK based on a clean install, and validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

type: security
subject: Updated ceph packages fix a security vulnerability
CVE:
 - CVE-2021-3524
src:
  8:
   core:
     - ceph-15.2.12-1.mga8
description: |
  Updated ceph packages fix security vulnerability on rgw CVE-2021-3524 (as well
  as CVE-2021-3509 and CVE-2021-3531 from which Mageia was not affected).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=28928
 - https://docs.ceph.com/en/latest/security/CVE-2021-3524/
 - https://www.openwall.com/lists/oss-security/2021/05/14/4
 - https://www.openwall.com/lists/oss-security/2021/05/14/5

Keywords: (none) => advisory

So adv must be modified per last David comment.

Keywords: advisory => (none)

Well, not really per that, but it would be better to give some detail for the security issue we *are* fixing, like we usually do.  The ones we *aren't* fixing don't need to be mentioned or included in the references.

As for the bug changes, status comment is only for unfixed security bugs.  It should be cleared once something is assigned to QA.  I kept everything listed in the bug title to make it easier for me to see that these CVEs have already been addressed, when I encounter them again in the future.

Thanks for your advice.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0223.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED