Security issues fixed upstream in Ceph have been announced today (May 14):
Mageia 8 is also affected.
Patches available from upstreamWhiteboard:
Thanks. We're not affected as we don't compile dashboard, but I'll push a new version release as soon as the fix has been merged.
Here we go, bug fix release 15.2.12 landing in updates_testing, with the included security fixes.
Updated ceph packages fix security vulnerability on rgw CVE-2021-3524 (as well as CVE-2021-3509 and CVE-2021-3531 from which mageia was not affected).
Updated packages in core/updates_testing:
CVE-2021-3509 CVE-2021-3531 CVE-2021-3524CC:
Take this to Mageia 8 bug.
Patches available from upstream =>
Installed ceph 15.2.11-1 packages and the numerous dependncies that came with them in a Virtualbox 64-bit MGA8 Plasma guest. Used the above list in qarepo, with no installation issues.
As with Bug 28804 and 28538, testing is deemed beyond QA abilities, so I'm giving this an OK based on a clean install, and validating. Advisory in Comment 2.
subject: Updated ceph packages fix a security vulnerability
Updated ceph packages fix security vulnerability on rgw CVE-2021-3524 (as well
as CVE-2021-3509 and CVE-2021-3531 from which Mageia was not affected).
We are not affected by CVE-2021-3509 and CVE-2021-3531CVE:
CVE-2021-3509 CVE-2021-3531 CVE-2021-3524 =>
ceph new security issues CVE-2021-3509 and CVE-2021-3531 =>
ceph new security issues CVE-2021-3524
We are not affected by CVE-2021-3509 and CVE-2021-3531 =>
ceph new security issues CVE-2021-3524 =>
ceph new security issues CVE-2021-3509, CVE-2021-3524, and CVE-2021-3531
So adv must be modified per last David comment.
Well, not really per that, but it would be better to give some detail for the security issue we *are* fixing, like we usually do. The ones we *aren't* fixing don't need to be mentioned or included in the references.
As for the bug changes, status comment is only for unfixed security bugs. It should be cleared once something is assigned to QA. I kept everything listed in the bug title to make it easier for me to see that these CVEs have already been addressed, when I encounter them again in the future.
Thanks for your advice.
An update for this issue has been pushed to the Mageia Updates repository.