Bug 33896 - ceph new security issue CVE-2024-48916
Summary: ceph new security issue CVE-2024-48916
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2025-01-07 16:42 CET by Nicolas Salguero
Modified: 2025-01-14 01:10 CET (History)
3 users (show)

See Also:
Source RPM: ceph-18.1.1-1.mga9.src.rpm
CVE: CVE-2024-48916
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-01-07 16:42:38 CET 
Ubuntu has issued an advisory on January 6:
https://ubuntu.com/security/notices/USN-7182-1
Nicolas Salguero 2025-01-07 16:44:26 CET

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => ceph-19.2.0-2.mga10.src.rpm, ceph-18.1.1-1.mga9.src.rpm
Status comment: (none) => Patch available from Ubuntu
CVE: (none) => CVE-2024-48916

Comment 1 Morgan Leijström 2025-01-09 18:52:10 CET 
Several people have packaged this.

BTW, I see in our package description:

"Ceph is a distributed file system that provides a traditional interface with POSIX semantics. As one can easily check on the website, it also severely lacks an introductory documentation thereby reducing the relevant information contained in this description to an unique sentence, the first. The Ceph user base grows and the development pace quickens, such that an increasing number of people are unfortunately only updating the technical documentation. Therefore, even small contributions like fixing spelling errors or clarifying instructions will immensely help the Ceph project."

But looking at https://ceph.io/en/ there seem to now be lots of good information and setup guides, so that text should be revised.

CC: (none) => fri
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2025-01-10 16:39:21 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Authentication bypass in CEPH RadosGW. (CVE-2024-48916)

References:
https://ubuntu.com/security/notices/USN-7182-1
========================

Updated packages in core/updates_testing:
========================
ceph-18.1.1-1.1.mga9
ceph-fuse-18.1.1-1.1.mga9
ceph-immutable-object-cache-18.1.1-1.1.mga9
ceph-mds-18.1.1-1.1.mga9
ceph-mgr-18.1.1-1.1.mga9
ceph-mirror-18.1.1-1.1.mga9
ceph-mon-18.1.1-1.1.mga9
ceph-osd-18.1.1-1.1.mga9
ceph-radosgw-18.1.1-1.1.mga9
ceph-rbd-18.1.1-1.1.mga9
lib(64)ceph2-18.1.1-1.1.mga9
lib(64)ceph-devel-18.1.1-1.1.mga9
lib(64)rados2-18.1.1-1.1.mga9
lib(64)rados-devel-18.1.1-1.1.mga9
lib(64)radosstriper1-18.1.1-1.1.mga9
lib(64)radosstriper-devel-18.1.1-1.1.mga9
lib(64)rbd1-18.1.1-1.1.mga9
lib(64)rbd-devel-18.1.1-1.1.mga9
lib(64)rgw2-18.1.1-1.1.mga9
lib(64)rgw-devel-18.1.1-1.1.mga9
python3-ceph-18.1.1-1.1.mga9
python3-rados-18.1.1-1.1.mga9
python3-rbd-18.1.1-1.1.mga9
python3-rgw-18.1.1-1.1.mga9

from SRPM:
ceph-18.1.1-1.1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Assignee: pkg-bugs => qa-bugs
Status comment: Patch available from Ubuntu => (none)
Status: NEW => ASSIGNED
Source RPM: ceph-19.2.0-2.mga10.src.rpm, ceph-18.1.1-1.mga9.src.rpm => ceph-18.1.1-1.mga9.src.rpm
Version: Cauldron => 9

Comment 3 Herman Viaene 2025-01-13 15:08:23 CET 
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 29871 Comment 3
Repeated same commands with same results and as nocrashes occured and clean install, good to go.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 4 Morgan Leijström 2025-01-13 16:36:25 CET 
Thank you Herman

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2025-01-14 01:10:45 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0011.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.