Control: clone 784373 -1 Control: retitle -1 jessie-pu: package ceph/0.80.7-2+deb8u1 Control: retitle 784373 jessie-pu: package ceph/0.80.11-1 (pre approval)
Hi Gaudenz Steinlin <gaud...@debian.org> writes: > Hi Julien > > Do you need any additional information? I would like to have a decision > on this soon as I really want to get at least CVE-2015-5245 fixed in the > next Debian stable release. This is a minor security issue which was > defered by the Security Team to a stable update and there was no DSA > issued for it. > > To be able to prepare the upload for the stable release I need to know > if you agree to follow the upstream maintenance releases or if I have to > do an upload with only the security issue fixed. If I got the timing > right, the next point release is still scheduled for 24th January. So > there is only little time left to prepare the upload. > > As this is now undecided for quite a long time I would even prefer a NACK > to having this unresolved any longer if you don't feel comfortable with > the idea of having the maintenance releases in stable. This way I at > least know that I don't have to bother anymore. > > If you don't want to rush things but are in gernal fine with the idea. > I'm also fine with only fixing the security bug now as the time is quite > tight and uploading 0.80.11 for the Debian 8.4 point release. As I did not get any feedback I have now uploaded ceph/0.80.7-2+deb8u1 with only the security bug fixed. I think this is really the minimum that should go into the next stable point release and I don't think there is any concern about this. I cloned the original bug report to track this jessie-pu request. The debdiff to the version currently in stable is attached. It's minimal. I would still appreciate an answer on #784373. Even if it's just the stable team does not currently have the resources to evaluate this request and therefore declines to make an exception to the usual stable update rules. This would not be the answer I had hoped for, but at least I then know that I don't have to invest more time into the 0.80.X series of ceph. Gaudenz
diff -Nru ceph-0.80.7/debian/changelog ceph-0.80.7/debian/changelog --- ceph-0.80.7/debian/changelog 2014-12-11 02:55:49.000000000 +0100 +++ ceph-0.80.7/debian/changelog 2016-01-15 10:42:14.000000000 +0100 @@ -1,3 +1,9 @@ +ceph (0.80.7-2+deb8u1) jessie; urgency=medium + + * [61b5e0] Patch to fix CVE-2015-5245 applied from upstream (Closes: #798567) + + -- Gaudenz Steinlin <gaud...@debian.org> Fri, 15 Jan 2016 10:41:27 +0100 + ceph (0.80.7-2) unstable; urgency=medium * Team upload. diff -Nru ceph-0.80.7/debian/gbp.conf ceph-0.80.7/debian/gbp.conf --- ceph-0.80.7/debian/gbp.conf 2014-12-11 02:33:33.000000000 +0100 +++ ceph-0.80.7/debian/gbp.conf 2016-01-15 10:41:01.000000000 +0100 @@ -1,5 +1,5 @@ [DEFAULT] -#debian-branch = experimental +debian-branch = jessie-security pristine-tar = True [import-orig] diff -Nru ceph-0.80.7/debian/patches/CVE-2015-5245.patch ceph-0.80.7/debian/patches/CVE-2015-5245.patch --- ceph-0.80.7/debian/patches/CVE-2015-5245.patch 1970-01-01 01:00:00.000000000 +0100 +++ ceph-0.80.7/debian/patches/CVE-2015-5245.patch 2016-01-15 10:41:01.000000000 +0100 @@ -0,0 +1,35 @@ +From ad5507fe0bf72ed5bdf8353e315cc9092c740144 Mon Sep 17 00:00:00 2001 +From: Yehuda Sadeh <yeh...@redhat.com> +Date: Thu, 30 Jul 2015 14:47:15 -0700 +Subject: [PATCH] rgw: url encode exposed bucket + +Fixes: #12537 +Don't send the bucket name back without url encoding it. + +Signed-off-by: Yehuda Sadeh <yeh...@redhat.com> + +The patch below is an adapted version for ceph 0.80.7 to only contain +the necessary changes to fix this vulnerability. Neither the quoting +of the bucket name nor the missing \r are fixed. +(see http://tracker.ceph.com/issues/9254 and http://tracker.ceph.com/issues/11860) + +--- + src/rgw/rgw_rest.cc | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/src/rgw/rgw_rest.cc ++++ b/src/rgw/rgw_rest.cc +@@ -272,8 +272,11 @@ + { + int expose_bucket = g_conf->rgw_expose_bucket; + if (expose_bucket) { +- if (!s->bucket_name_str.empty()) +- s->cio->print("Bucket: \"%s\"\n", s->bucket_name_str.c_str()); ++ if (!s->bucket_name_str.empty()) { ++ string b; ++ url_encode(s->bucket_name_str, b); ++ s->cio->print("Bucket: \"%s\"\n", b.c_str()); ++ } + } + } + diff -Nru ceph-0.80.7/debian/patches/series ceph-0.80.7/debian/patches/series --- ceph-0.80.7/debian/patches/series 2014-12-11 02:33:47.000000000 +0100 +++ ceph-0.80.7/debian/patches/series 2016-01-15 10:41:01.000000000 +0100 @@ -14,6 +14,7 @@ bash-completion.patch rbdmap1-mount.patch rbdmap2-hooks.patch +CVE-2015-5245.patch ## Debian rbdmap3-lazyumount.patch
signature.asc
Description: PGP signature
