On 7/26/22 13:16, Moritz Mühlenhoff wrote:
Source: ceph
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for ceph.
CVE-2022-0670[0]:
| A flaw was found in Openstack manilla owning a Ceph File system
| "share", which enables the owner to read/write any manilla share or
| entire file system. The vulnerability is due to a bug in the "volumes"
| plugin in Ceph Manager. This allows an attacker to compromise
| Confidentiality and Integrity of a file system. Fixed in RHCS 5.2 and
| Ceph 17.2.2.
https://ceph.io/en/news/blog/2022/v17-2-2-quincy-released/
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-0670
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0670
Please adjust the affected versions in the BTS as needed.
Hi Moritz,
If I'm not mistaking, this security hole is only in the 16.2.x series of
Ceph, right? I'll upgrade to 16.2.10 immediately. Please let me know
about Ceph in Bullseye.
Cheers,
Thomas Goirand (zigo)
