34741 – ceph-radosgw new security issue CVE-2024-47866

Bug 34741 - ceph-radosgw new security issue CVE-2024-47866

Summary: ceph-radosgw new security issue CVE-2024-47866

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-11-12 09:46 CET by Nicolas Salguero
Modified:	2025-12-29 22:14 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	ceph-18.2.7-2.mga9.src.rpm
CVE:	CVE-2024-47866
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-11-12 09:46:41 CET

CVE-2024-47866 was announced here:
https://www.openwall.com/lists/oss-security/2025/11/11/3
https://github.com/ceph/ceph/security/advisories/GHSA-mgrm-g92q-f8h8

Fix: https://github.com/ceph/ceph/pull/65159

Nicolas Salguero 2025-11-12 09:47:06 CET

Source RPM: (none) => ceph-18.2.7-2.mga9.src.rpm
Status comment: (none) => Patch available from upstream
CVE: (none) => CVE-2024-47866

Comment 1 Lewis Smith 2025-11-12 19:31:45 CET

Thank you for the patch URL.
Note this is for M9, not Cauldron.
ChrisD currently updates this SRPM, so assigning thus.

Assignee: bugsquad => eatdirt

Comment 2 Nicolas Salguero 2025-12-01 15:25:49 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

RGW DoS attack with empty HTTP header in S3 object copy. (CVE-2024-47866)

References:
https://www.openwall.com/lists/oss-security/2025/11/11/3
https://github.com/ceph/ceph/security/advisories/GHSA-mgrm-g92q-f8h8
========================

Updated packages in core/updates_testing:
========================
ceph-18.2.7-2.1.mga9
ceph-fuse-18.2.7-2.1.mga9
ceph-immutable-object-cache-18.2.7-2.1.mga9
ceph-mds-18.2.7-2.1.mga9
ceph-mgr-18.2.7-2.1.mga9
ceph-mirror-18.2.7-2.1.mga9
ceph-mon-18.2.7-2.1.mga9
ceph-osd-18.2.7-2.1.mga9
ceph-radosgw-18.2.7-2.1.mga9
ceph-rbd-18.2.7-2.1.mga9
lib(64)ceph-devel-18.2.7-2.1.mga9
lib(64)ceph2-18.2.7-2.1.mga9
lib(64)rados-devel-18.2.7-2.1.mga9
lib(64)rados2-18.2.7-2.1.mga9
lib(64)radosstriper-devel-18.2.7-2.1.mga9
lib(64)radosstriper1-18.2.7-2.1.mga9
lib(64)rbd-devel-18.2.7-2.1.mga9
lib(64)rbd1-18.2.7-2.1.mga9
lib(64)rgw-devel-18.2.7-2.1.mga9
lib(64)rgw2-18.2.7-2.1.mga9
python3-ceph-18.2.7-2.1.mga9
python3-rados-18.2.7-2.1.mga9
python3-rbd-18.2.7-2.1.mga9
python3-rgw-18.2.7-2.1.mga9

from SRPM:
ceph-18.2.7-2.1.mga9.src.rpm

Status comment: Patch available from upstream => (none)
Status: NEW => ASSIGNED
Assignee: eatdirt => qa-bugs

katnatek 2025-12-01 20:18:20 CET

Keywords: (none) => advisory

Comment 3 Herman Viaene 2025-12-04 14:16:43 CET

MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
Ref bug 34400.
I repeated all commands from this previous bug, with the same unsatisfactory results. All due to not having a decent config example.
In the end I believe the OK was given on clean install. If that is enough, plse let it go.
Next time I will keep my hands of that package.

CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2025-12-29 01:40:16 CET

Looks like we've had a couple of these go on a clean install. Sometimes it's the best we can do.

Validating.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2025-12-29 22:14:54 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0333.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.