Bug 30677 - ceph new security issues CVE-2022-0670, CVE-2022-3650, and CVE-2022-3854
Summary: ceph new security issues CVE-2022-0670, CVE-2022-3650, and CVE-2022-3854
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-07-27 18:42 CEST by David Walser
Modified: 2023-04-15 21:05 CEST (History)
7 users (show)

See Also:
Source RPM: ceph-15.2.16-1.mga8.src.rpm, ceph-16.2.9-1.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-07-27 18:42:17 CEST
Fedora has issued an advisory today (July 27):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5O3XMDFZWA2FWU6GAYOVSFJPOUTXN42N/

The issue is fixed upstream in 16.2.10 and 17.2.2.

Mageia 8 may also be affected.
Comment 1 David Walser 2022-07-27 18:42:49 CEST
See also Bug 30664 which this may be affected by if it bundles "moment"

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=30664

Comment 2 Marja Van Waes 2022-07-27 22:44:22 CEST
Assigning to our registered ceph maintainer.

CC: (none) => marja11
Assignee: bugsquad => eatdirt

Comment 3 David Walser 2022-10-25 14:36:28 CEST
A security issue in ceph has been announced today (October 25):
https://www.openwall.com/lists/oss-security/2022/10/25/1

No fix is available yet.

Summary: ceph new security issue CVE-2022-0670 => ceph new security issues CVE-2022-0670 and CVE-2022-3650
Whiteboard: (none) => MGA8TOO

Comment 4 Chris Denice 2022-10-26 14:27:46 CEST
Thanks for the head-up, I'll monitor and fix that asap.
Comment 5 David Walser 2023-03-28 16:47:11 CEST
(In reply to David Walser from comment #3)
> A security issue in ceph has been announced today (October 25):
> https://www.openwall.com/lists/oss-security/2022/10/25/1
> 
> No fix is available yet.

It must be fixed now.

SUSE has issued an advisory for that issue and one new one on March 27:
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014167.html

It sounds like they're fixed in 16.2.11.

Summary: ceph new security issues CVE-2022-0670 and CVE-2022-3650 => ceph new security issues CVE-2022-0670, CVE-2022-3650, and CVE-2022-3854

Comment 6 Chris Denice 2023-03-28 17:01:44 CEST
OK, for mga8 we provide the ceph branch 15.2.* (octopus series) so I am not really akin to jump to 16.* version, that's a breaking change.
But I do see though that we are at 15.2.16 and the latest is 15.2.17, which has some security fixes. So it would make sense anyway to provide 15.2.17 but I need to check more carefully if the above-mentioned CVS affect 15.2.17.


For cauldron, we're already at the latest version 17.* and the above fixes are backport from 17. branch to 16, so we're good!
Comment 7 Chris Denice 2023-04-07 17:23:53 CEST
https://docs.ceph.com/en/latest/security/CVE-2022-0670/
--> Fixed in 15.2.17

The others do not seem to be yet backported in 15.2.17. I'll push this new version in the meanwhile to mga8.
Comment 8 Chris Denice 2023-04-07 17:36:14 CEST
CVE-2022-3650 is easy to fix, I'll backport the fix to the 15.2.17 version.
Comment 9 Chris Denice 2023-04-07 17:40:30 CEST
Finally, https://tracker.ceph.com/issues/55765 does not concern our version.
Comment 10 Chris Denice 2023-04-07 17:45:24 CEST
ceph-15.2.17 landing on updates_testing for mga8, fixing CVE-2022-0670 and CVE-2022-3650


Advisory:
========================

Updated ceph packages fix security vulnerabilities CVE-2022-0670 and CVE-2022-3650.


References:
https://docs.ceph.com/en/latest/security/CVE-2022-0670/
https://github.com/ceph/ceph/pull/48713/commits


========================

Updated packages in core/updates_testing:
========================
ceph-mgr-15.2.17-1.mga8
ceph-15.2.17-1.mga8
ceph-radosgw-15.2.17-1.mga8
ceph-osd-15.2.17-1.mga8
lib64ceph2-15.2.17-1.mga8
lib64rados2-15.2.17-1.mga8
lib64radosgw2-15.2.17-1.mga8
lib64rgw2-15.2.17-1.mga8
ceph-rbd-15.2.17-1.mga8
lib64rbd1-15.2.17-1.mga8
ceph-mon-15.2.17-1.mga8
ceph-mds-15.2.17-1.mga8
lib64radosstriper1-15.2.17-1.mga8
python3-ceph-15.2.17-1.mga8
ceph-fuse-15.2.17-1.mga8
lib64rados-devel-15.2.17-1.mga8
ceph-immutable-object-cache-15.2.17-1.mga8
python3-rbd-15.2.17-1.mga8
python3-rgw-15.2.17-1.mga8
python3-rados-15.2.17-1.mga8
lib64ceph-devel-15.2.17-1.mga8
lib64rgw-devel-15.2.17-1.mga8
lib64radosstriper-devel-15.2.17-1.mga8
lib64rbd-devel-15.2.17-1.mga8
lib64radosgw-devel-15.2.17-1.mga8

from ceph-15.2.17-1.mga8.src.rpm

CC: (none) => eatdirt
Assignee: eatdirt => qa-bugs

Chris Denice 2023-04-07 17:46:22 CEST

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

PC LX 2023-04-07 21:40:20 CEST

CC: (none) => mageia

Comment 11 Herman Viaene 2023-04-13 17:07:25 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 29871 as lead.
Tried the same CLI commands with the same results, not very satisfying, but at least no crashes. So good enough.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 12 Chris Denice 2023-04-13 17:16:28 CEST
thank you for the tests, they are enough for this package.

NB: It is an art to configure a ceph cluster, and you need several machines, but a skeleton is actually provided within the README.mageia file.

cat /usr/share/doc/ceph/README.mageia
Comment 13 Thomas Andrews 2023-04-14 13:54:01 CEST
Validating. Advisory in comment 10.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-04-15 18:07:16 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 14 Mageia Robot 2023-04-15 21:05:18 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0139.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.