On Mon, Mar 22, 2021 at 10:11:29AM +0100, Thomas Goirand wrote:
> On 3/21/21 7:59 PM, Moritz Muehlenhoff wrote:
> > Package: ceph
> > Severity: important
> > Tags: security
> > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
> >
> > CVE-2020-27781
> > https://bugs.launchpad.net/manila/+bug/1904015
> > https://bugzilla.redhat.com/show_bug.cgi?id=1900109
> > https://github.com/ceph/ceph/commit/1b8a634fdcd94dfb3ba650793fb1b6d09af65e05
> > (octopus)
> > https://github.com/ceph/ceph/commit/7e3e4e73783a98bb07ab399438eb3aab41a6fc8b
> > (nautilus)
> > https://github.com/ceph/ceph/commit/956ceb853a58f6b6847b31fac34f2f0228a70579
> > (luminous)
> >
> > CVE-2020-27839
> > https://tracker.ceph.com/issues/44591
> > https://github.com/ceph/ceph/pull/38259
> > https://github.com/ceph/ceph/commit/23f2604d6f9ac16779b4ac43aab6e4e434f2e8ec
> >
> > Cheers,
> > Moritz
> >
>
> Hi Moritz,
>
> To me, these issues were fixed in 14.2.16, which is already in
> unstable/bullseye, and aslo in Buster backports. It matches what I have
> in memory (but I'm not 100% sure).
>
> I tried applying the above patches, and that's how it felt too.
I can confirm that CVE-2020-27781 is fixed in sid,
7e3e4e73783a98bb07ab399438eb3aab41a6fc8b
landed in v14.2.16 and thus in unstable. I've updated the Security Tracker.
But CVE-2020-27839 was fixed in the nautilus branch in
843b2e9cd4cb996165d1818ebff125f1414f90c5
which only ended up in v14.2.17 and is thus missing in unstable/testing. Right?
Cheers,
Moritz
