[Bug 1929179] Re: [SRU] ceph 15.2.12
Łukasz Zemczak
1929179 at bugs.launchpad.net
Mon May 24 22:56:27 UTC 2021
Hey James! Since this feels like a security update, should we aim for
getting it released into -security as well? In that case we'd have to
inform the ubuntu-security team, build the packages in a security-
enabled PPA and only the binary-copy the packages into -proposed.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ceph in Ubuntu.
https://bugs.launchpad.net/bugs/1929179
Title:
[SRU] ceph 15.2.12
Status in Ubuntu Cloud Archive:
Invalid
Status in Ubuntu Cloud Archive ussuri series:
Triaged
Status in ceph package in Ubuntu:
Invalid
Status in ceph source package in Focal:
Triaged
Status in ceph source package in Groovy:
Triaged
Bug description:
[Impact]
This release fixes several bugs. We would like to make sure all of our users have access to these improvements.
The update contains the following package updates:
* ceph 15.2.12
[Test Case]
The following SRU process was followed:
https://wiki.ubuntu.com/OpenStackUpdates
In order to avoid regression of existing users, the OpenStack team
will run their continuous integration test against the packages that
are in -proposed. A successful run of all available tests will be
required before the proposed packages can be let into -updates.
The OpenStack team will be in charge of attaching the output summary
of the executed tests. The OpenStack team members will not mark
‘verification-done’ until this has happened.
[Regression Potential]
In order to mitigate the regression potential, the results of the
aforementioned tests are attached to this bug.
[Upstream release announcement]
V15.2.12 OCTOPUS
This is a hotfix release addressing a number of security issues and
regressions. We recommend all users update to this release.
CHANGELOG
mgr/dashboard: fix base-href: revert it to previous approach (issue#50684, Avan Thakkar)
mgr/dashboard: fix cookie injection issue (CVE-2021-3509: Dashboard
XSS via token cookie, Ernesto Puerta)
rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name
(CVE-2021-3531: Swift API denial of service, Felix Huettner)
rgw: sanitize r in s3 CORSConfiguration’s ExposeHeader (CVE-2021-3524:
HTTP header injects via CORS in RGW, Sergey Bobrov, Casey Bodley)
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1929179/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list