Your message dated Mon, 28 Nov 2022 14:54:13 +0000 with message-id <e1ozfwp-003ppp...@fasolo.debian.org> and subject line Bug#1024932: fixed in ceph 16.2.10+ds-4 has caused the Debian Bug report #1024932, regarding ceph-base: ceph to root privilege escalation via ceph-crash.service CVE-2022-3650 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1024932: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024932 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: ceph-base Version: 16.2.10+ds-3 Severity: serious Tags: security ceph-crash.service as shipped by ceph-base is vulnerable to CVE-2022-3650, which is a privilege escalation from the ceph user to root. Please refer to the notes from https://security-tracker.debian.org/tracker/CVE-2022-3650 for more details: | https://www.openwall.com/lists/oss-security/2022/10/25/1 | https://tracker.ceph.com/issues/57967 | https://github.com/ceph/ceph/pull/48713 | https://github.com/ceph/ceph/commit/45915540559126a652f8d9d105723584cfc63439 (main) | https://github.com/ceph/ceph/commit/130c9626598bc3a75942161e6cce7c664c447382 (main) | Backport to Pacific: https://github.com/ceph/ceph/pull/48804 | Backport to Quincy: https://github.com/ceph/ceph/pull/48805 Helmut
--- End Message ---
--- Begin Message ---Source: ceph Source-Version: 16.2.10+ds-4 Done: Thomas Goirand <z...@debian.org> We believe that the bug you reported is fixed in the latest version of ceph, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1024...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated ceph package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 28 Nov 2022 12:02:57 +0100 Source: ceph Architecture: source Version: 16.2.10+ds-4 Distribution: unstable Urgency: high Maintainer: Ceph Packaging Team <team+c...@tracker.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Closes: 1024932 Changes: ceph (16.2.10+ds-4) unstable; urgency=high . * CVE-2022-3650: ceph to root privilege escalation via ceph-crash.service. Add upstream patches (Closes: #1024932): - ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch - ceph-crash_fix_stderr_handling.patch Checksums-Sha1: bb5a50bd1685cb7b949d5f688e1538f12efe8e1d 8082 ceph_16.2.10+ds-4.dsc 1b76dd257d24f4c42e2f7dd1e78c4aa3bc5eb2dd 120512 ceph_16.2.10+ds-4.debian.tar.xz 98709b60ffef72660648c5d9a09da8d078c8ba26 42428 ceph_16.2.10+ds-4_amd64.buildinfo Checksums-Sha256: 24fefece5694e1f95d9e960e968efeba7f34aa52956711ab0a245ecacc1cf9a2 8082 ceph_16.2.10+ds-4.dsc a041e39205357451399b8b639303345c96cf219216cdfd1c44c8fe0d5e143ab1 120512 ceph_16.2.10+ds-4.debian.tar.xz 3540cf7f2890c8742b5b7658123b00c2fae08a508ca39f0a5fb8afc9e4bbc94d 42428 ceph_16.2.10+ds-4_amd64.buildinfo Files: db81003337f74142ef033d5098b62567 8082 admin optional ceph_16.2.10+ds-4.dsc 31594f2edb4f053577c78c6687fa0bda 120512 admin optional ceph_16.2.10+ds-4.debian.tar.xz bdaeb64239dd0fd96c219c5c2017cb26 42428 admin optional ceph_16.2.10+ds-4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmOEvjgACgkQ1BatFaxr Q/4WVg//Yer3DCkTkt5wadWO3PTthZlRgAjCw/uPCtzEmI0bS/W/daFbLZcP1h8W Uevq+yKQUsT6wz0pX1wKUvgMY49sDTLp4oMQAMXIjMRH0eE1lD2TripXVQ1r17wX lV0Tx0/KOZkrdDe79SFJLP/UxRM3/DcnHj4x2a0GPD4oXlV5zoNPXEPkqRAKTrql nklfY+Txi0MvuuyRoCO3Q6f4a+vCmKxQjyljicK5cGX99IxsApQL0vOH9MukLFo2 4YxH6/fMyHXh/+5EKYTaMqLiCcD3UxNdzRedNAfHpMJRUcXAy1kL6l2CDdCmXEKM JQm2bv8OCr6SjrtuUuoPdecAMM0/BV2PvbM6C4rDuvWMVeqTRbzagIAFSU6iHHGc crRntfs8AwjgU06ODJUYY01xZzH3QtduXNu6BQ4oEJem0vObMqowrIBDLl2c0+5G rKqpOkuIAIAXAAT2YfaJoC7CRj0gjdqiUax8rJfrHnr79HFA35byoz93Ki/UqWGD p310pZ+bU8UXbPsll3ryOvIhEvotiBjYoXDYl5SfomZxSuaMvYmxHlXzhvOjzN9W BwdIeJWGiSHeClVAvnmFo+4Y/n96lBRVeQLRYPTi0UsShNcHi9+AH30fNkFXfS0i po0jfxy+Zz5I1MaQ7OYRpYy+Yai47bCHXecGMIZvP313N0ICYoU= =KlUZ -----END PGP SIGNATURE-----
--- End Message ---
