Fedora has issued an advisory today (July 27): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5O3XMDFZWA2FWU6GAYOVSFJPOUTXN42N/ The issue is fixed upstream in 16.2.10 and 17.2.2. Mageia 8 may also be affected.
See also Bug 30664 which this may be affected by if it bundles "moment"
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=30664
Assigning to our registered ceph maintainer.
CC: (none) => marja11Assignee: bugsquad => eatdirt
A security issue in ceph has been announced today (October 25): https://www.openwall.com/lists/oss-security/2022/10/25/1 No fix is available yet.
Summary: ceph new security issue CVE-2022-0670 => ceph new security issues CVE-2022-0670 and CVE-2022-3650Whiteboard: (none) => MGA8TOO
Thanks for the head-up, I'll monitor and fix that asap.
(In reply to David Walser from comment #3) > A security issue in ceph has been announced today (October 25): > https://www.openwall.com/lists/oss-security/2022/10/25/1 > > No fix is available yet. It must be fixed now. SUSE has issued an advisory for that issue and one new one on March 27: https://lists.suse.com/pipermail/sle-security-updates/2023-March/014167.html It sounds like they're fixed in 16.2.11.
Summary: ceph new security issues CVE-2022-0670 and CVE-2022-3650 => ceph new security issues CVE-2022-0670, CVE-2022-3650, and CVE-2022-3854
OK, for mga8 we provide the ceph branch 15.2.* (octopus series) so I am not really akin to jump to 16.* version, that's a breaking change. But I do see though that we are at 15.2.16 and the latest is 15.2.17, which has some security fixes. So it would make sense anyway to provide 15.2.17 but I need to check more carefully if the above-mentioned CVS affect 15.2.17. For cauldron, we're already at the latest version 17.* and the above fixes are backport from 17. branch to 16, so we're good!
https://docs.ceph.com/en/latest/security/CVE-2022-0670/ --> Fixed in 15.2.17 The others do not seem to be yet backported in 15.2.17. I'll push this new version in the meanwhile to mga8.
CVE-2022-3650 is easy to fix, I'll backport the fix to the 15.2.17 version.
Finally, https://tracker.ceph.com/issues/55765 does not concern our version.
ceph-15.2.17 landing on updates_testing for mga8, fixing CVE-2022-0670 and CVE-2022-3650 Advisory: ======================== Updated ceph packages fix security vulnerabilities CVE-2022-0670 and CVE-2022-3650. References: https://docs.ceph.com/en/latest/security/CVE-2022-0670/ https://github.com/ceph/ceph/pull/48713/commits ======================== Updated packages in core/updates_testing: ======================== ceph-mgr-15.2.17-1.mga8 ceph-15.2.17-1.mga8 ceph-radosgw-15.2.17-1.mga8 ceph-osd-15.2.17-1.mga8 lib64ceph2-15.2.17-1.mga8 lib64rados2-15.2.17-1.mga8 lib64radosgw2-15.2.17-1.mga8 lib64rgw2-15.2.17-1.mga8 ceph-rbd-15.2.17-1.mga8 lib64rbd1-15.2.17-1.mga8 ceph-mon-15.2.17-1.mga8 ceph-mds-15.2.17-1.mga8 lib64radosstriper1-15.2.17-1.mga8 python3-ceph-15.2.17-1.mga8 ceph-fuse-15.2.17-1.mga8 lib64rados-devel-15.2.17-1.mga8 ceph-immutable-object-cache-15.2.17-1.mga8 python3-rbd-15.2.17-1.mga8 python3-rgw-15.2.17-1.mga8 python3-rados-15.2.17-1.mga8 lib64ceph-devel-15.2.17-1.mga8 lib64rgw-devel-15.2.17-1.mga8 lib64radosstriper-devel-15.2.17-1.mga8 lib64rbd-devel-15.2.17-1.mga8 lib64radosgw-devel-15.2.17-1.mga8 from ceph-15.2.17-1.mga8.src.rpm
CC: (none) => eatdirtAssignee: eatdirt => qa-bugs
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
CC: (none) => mageia
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Ref bug 29871 as lead. Tried the same CLI commands with the same results, not very satisfying, but at least no crashes. So good enough.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
thank you for the tests, they are enough for this package. NB: It is an art to configure a ceph cluster, and you need several machines, but a skeleton is actually provided within the README.mageia file. cat /usr/share/doc/ceph/README.mageia
Validating. Advisory in comment 10.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0139.html
Status: NEW => RESOLVEDResolution: (none) => FIXED