[Bug 1929179] [NEW] [SRU] ceph 15.2.12

James Page 1929179 at bugs.launchpad.net
Fri May 21 09:04:55 UTC 2021 

Public bug reported:

[Impact]
This release fixes several bugs. We would like to make sure all of our users have access to these improvements.

The update contains the following package updates:

   * ceph 15.2.12

[Test Case]
The following SRU process was followed:

https://wiki.ubuntu.com/OpenStackUpdates

In order to avoid regression of existing users, the OpenStack team will
run their continuous integration test against the packages that are in
-proposed. A successful run of all available tests will be required
before the proposed packages can be let into -updates.

The OpenStack team will be in charge of attaching the output summary of
the executed tests. The OpenStack team members will not mark
‘verification-done’ until this has happened.

[Regression Potential]
In order to mitigate the regression potential, the results of the
aforementioned tests are attached to this bug.

[Upstream release announcement]

V15.2.12 OCTOPUS

This is a hotfix release addressing a number of security issues and
regressions. We recommend all users update to this release.

CHANGELOG
mgr/dashboard: fix base-href: revert it to previous approach (issue#50684, Avan Thakkar)

mgr/dashboard: fix cookie injection issue (CVE-2021-3509: Dashboard XSS
via token cookie, Ernesto Puerta)

rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name
(CVE-2021-3531: Swift API denial of service, Felix Huettner)

rgw: sanitize r in s3 CORSConfiguration’s ExposeHeader (CVE-2021-3524:
HTTP header injects via CORS in RGW, Sergey Bobrov, Casey Bodley)

** Affects: cloud-archive
     Importance: Undecided
         Status: Invalid

** Affects: cloud-archive/ussuri
     Importance: High
         Status: Triaged

** Affects: ceph (Ubuntu)
     Importance: Undecided
         Status: Invalid

** Affects: ceph (Ubuntu Focal)
     Importance: High
         Status: Triaged

** Affects: ceph (Ubuntu Groovy)
     Importance: High
         Status: Triaged

** Also affects: ceph (Ubuntu Groovy)
   Importance: Undecided
       Status: New

** Also affects: ceph (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: ceph (Ubuntu Focal)
       Status: New => Triaged

** Changed in: ceph (Ubuntu Groovy)
       Status: New => Triaged

** Changed in: ceph (Ubuntu)
       Status: New => Invalid

** Changed in: ceph (Ubuntu Groovy)
   Importance: Undecided => High

** Changed in: ceph (Ubuntu Focal)
   Importance: Undecided => High

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3509

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3531

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3524

** Description changed:

- TBC
+ Upstream release announcement:
+ 
+ V15.2.12 OCTOPUS
+ 
+ This is a hotfix release addressing a number of security issues and
+ regressions. We recommend all users update to this release.
+ 
+ 
+ CHANGELOG
+ mgr/dashboard: fix base-href: revert it to previous approach (issue#50684, Avan Thakkar)
+ 
+ mgr/dashboard: fix cookie injection issue (CVE-2021-3509: Dashboard XSS
+ via token cookie, Ernesto Puerta)
+ 
+ rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name
+ (CVE-2021-3531: Swift API denial of service, Felix Huettner)
+ 
+ rgw: sanitize r in s3 CORSConfiguration’s ExposeHeader (CVE-2021-3524:
+ HTTP header injects via CORS in RGW, Sergey Bobrov, Casey Bodley)

** Description changed:

- Upstream release announcement:
+ [Impact]
+ This release fixes several bugs. We would like to make sure all of our users have access to these improvements.
+ 
+ The update contains the following package updates:
+ 
+    * ceph 15.2.11
+ 
+ [Test Case]
+ The following SRU process was followed:
+ 
+ https://wiki.ubuntu.com/OpenStackUpdates
+ 
+ In order to avoid regression of existing users, the OpenStack team will
+ run their continuous integration test against the packages that are in
+ -proposed. A successful run of all available tests will be required
+ before the proposed packages can be let into -updates.
+ 
+ The OpenStack team will be in charge of attaching the output summary of
+ the executed tests. The OpenStack team members will not mark
+ ‘verification-done’ until this has happened.
+ 
+ [Regression Potential]
+ In order to mitigate the regression potential, the results of the
+ aforementioned tests are attached to this bug.
+ 
+ [Upstream release announcement]
  
  V15.2.12 OCTOPUS
  
  This is a hotfix release addressing a number of security issues and
  regressions. We recommend all users update to this release.
- 
  
  CHANGELOG
  mgr/dashboard: fix base-href: revert it to previous approach (issue#50684, Avan Thakkar)
  
  mgr/dashboard: fix cookie injection issue (CVE-2021-3509: Dashboard XSS
  via token cookie, Ernesto Puerta)
  
  rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name
  (CVE-2021-3531: Swift API denial of service, Felix Huettner)
  
  rgw: sanitize r in s3 CORSConfiguration’s ExposeHeader (CVE-2021-3524:
  HTTP header injects via CORS in RGW, Sergey Bobrov, Casey Bodley)

** Description changed:

  [Impact]
  This release fixes several bugs. We would like to make sure all of our users have access to these improvements.
  
  The update contains the following package updates:
  
-    * ceph 15.2.11
+    * ceph 15.2.12
  
  [Test Case]
  The following SRU process was followed:
  
  https://wiki.ubuntu.com/OpenStackUpdates
  
  In order to avoid regression of existing users, the OpenStack team will
  run their continuous integration test against the packages that are in
  -proposed. A successful run of all available tests will be required
  before the proposed packages can be let into -updates.
  
  The OpenStack team will be in charge of attaching the output summary of
  the executed tests. The OpenStack team members will not mark
  ‘verification-done’ until this has happened.
  
  [Regression Potential]
  In order to mitigate the regression potential, the results of the
  aforementioned tests are attached to this bug.
  
  [Upstream release announcement]
  
  V15.2.12 OCTOPUS
  
  This is a hotfix release addressing a number of security issues and
  regressions. We recommend all users update to this release.
  
  CHANGELOG
  mgr/dashboard: fix base-href: revert it to previous approach (issue#50684, Avan Thakkar)
  
  mgr/dashboard: fix cookie injection issue (CVE-2021-3509: Dashboard XSS
  via token cookie, Ernesto Puerta)
  
  rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name
  (CVE-2021-3531: Swift API denial of service, Felix Huettner)
  
  rgw: sanitize r in s3 CORSConfiguration’s ExposeHeader (CVE-2021-3524:
  HTTP header injects via CORS in RGW, Sergey Bobrov, Casey Bodley)

** Also affects: cloud-archive
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/ussuri
   Importance: Undecided
       Status: New

** Changed in: cloud-archive
       Status: New => Invalid

** Changed in: cloud-archive/ussuri
       Status: New => Triaged

** Changed in: cloud-archive/ussuri
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ceph in Ubuntu.
https://bugs.launchpad.net/bugs/1929179

Title:
  [SRU] ceph 15.2.12

Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive ussuri series:
  Triaged
Status in ceph package in Ubuntu:
  Invalid
Status in ceph source package in Focal:
  Triaged
Status in ceph source package in Groovy:
  Triaged

Bug description:
  [Impact]
  This release fixes several bugs. We would like to make sure all of our users have access to these improvements.

  The update contains the following package updates:

     * ceph 15.2.12

  [Test Case]
  The following SRU process was followed:

  https://wiki.ubuntu.com/OpenStackUpdates

  In order to avoid regression of existing users, the OpenStack team
  will run their continuous integration test against the packages that
  are in -proposed. A successful run of all available tests will be
  required before the proposed packages can be let into -updates.

  The OpenStack team will be in charge of attaching the output summary
  of the executed tests. The OpenStack team members will not mark
  ‘verification-done’ until this has happened.

  [Regression Potential]
  In order to mitigate the regression potential, the results of the
  aforementioned tests are attached to this bug.

  [Upstream release announcement]

  V15.2.12 OCTOPUS

  This is a hotfix release addressing a number of security issues and
  regressions. We recommend all users update to this release.

  CHANGELOG
  mgr/dashboard: fix base-href: revert it to previous approach (issue#50684, Avan Thakkar)

  mgr/dashboard: fix cookie injection issue (CVE-2021-3509: Dashboard
  XSS via token cookie, Ernesto Puerta)

  rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name
  (CVE-2021-3531: Swift API denial of service, Felix Huettner)

  rgw: sanitize r in s3 CORSConfiguration’s ExposeHeader (CVE-2021-3524:
  HTTP header injects via CORS in RGW, Sergey Bobrov, Casey Bodley)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1929179/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list