Hi Gaudenz, > Gaudenz Steinlin <gaud...@debian.org> writes: > > > Hi > > > > Salvatore Bonaccorso <car...@debian.org> writes: > >> Hi, > >> > >> the following vulnerability was published for ceph. > >> > >> CVE-2018-7262[0]: > >> |Malformed HTTP requests handled in rgw_civetweb.cc:RGW::init_env() can > >> |lead to NULL pointer dereference > > > > Thanks for the information. I backported the upstream fix to the version > > in stretch and I'm currently in the process of building the package > > (takes several hours). How do you want me to proceed if the package > > builds fine and testing does not result in any errors? > > > > This may lead to a crash of the RGW process if sent a malformed HTTP > > header which could result in a denial of service. Does this warrant an > > upload to security or should this only be fixed via a stable point > > release? Do you want to review the debdiff before the upload? The > > debdiff of the test package I'm currently building is attached to this > > mail. > > Further investigations showed that the versions of Ceph currently in > Debian are not vulnerable [1]. They contain an older version of the embedded > webserver in RADOS gateway which does not return NULL pointers on > malformed HTTP requests. I confirmed this myself and also verified that > the bug is fixed in the latest upstream release soon to be uploaded to > Debian. I'm therefore closing this bug.
Thanks for your further investigation on the issue. Regards, Salvatore
