Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-10736: v15.2.2 Octopus released - Ceph

An authorization bypass vulnerability was found in Ceph versions 15.2.0 before 15.2.2, where the ceph-mon and ceph-mgr daemons do not properly restrict access, resulting in gaining access to unauthorized resources. This flaw allows an authenticated client to modify the configuration and possibly conduct further attacks.

CVE
Open in Source
#vulnerability#perl#auth#rpm
  • News
    • Ceph Blog
    • Publications
    • Contribute Content

This is the second bugfix release of Ceph Octopus stable release series, we recommend that all Octopus users upgrade. This release has a range of fixes across all components and a security fix.

Notable Changes ¶

  • CVE-2020-10736: Fixed an authorization bypass in mons & mgrs (Olle SegerDahl, Josh Durgin)

Changelog ¶

  • ceph-volume/batch: check lvs list before access (pr#34480, Jan Fajerski)
  • ceph-volume/batch: return success when all devices are filtered (pr#34477, Jan Fajerski)
  • ceph-volume: update functional testing deploy.yml playbook (pr#34886, Guillaume Abrioux)
  • cephadm: Fix check_ip_port to work with IPv6 (pr#34350, Ricardo Marques)
  • cephadm: Update images used (pr#34686, Sebastian Wagner)
  • cephadm: ceph-volume: disallow concurrent execution (pr#34423, Sage Weil)
  • cephadm: rm-cluster clean up /etc/ceph (pr#34299, Daniel-Pivonka)
  • devices/simple/scan: Fix string in log statement (pr#34446, Jan Fajerski)
  • mgr/dashboard: ‘Prometheus / All Alerts’ page shows progress bar (pr#34631, Volker Theile)
  • mgr/dashboard: Fix ServiceDetails and PoolDetails unit tests (pr#34760, Tiago Melo)
  • mgr/dashboard: Fix iSCSI’s username and password validation (pr#34547, Tiago Melo)
  • mgr/dashboard: Improve iSCSI CHAP message (pr#34630, Ricardo Marques)
  • mgr/dashboard: Prevent iSCSI target recreation when editing controls (pr#34548, Tiago Melo)
  • mgr/dashboard: RGW auto refresh is not working (pr#34739, Avan Thakkar)
  • mgr/dashboard: Repair broken grafana panels (pr#34495, Kristoffer Grönlund)
  • mgr/dashboard: Update translations on octopus (pr#34309, Sebastian Krah)
  • mgr/dashboard: add crush rule test suite (pr#34211, Tatjana Dehler)
  • mgr/dashboard: fix API tests to be py3 compatible (pr#34759, Kefu Chai, Laura Paduano, Alfonso Martínez)
  • mgr/dashboard: fix errors related to frontend service subscriptions (pr#34467, Alfonso Martínez)
  • mgr/dashboard: fix tasks.mgr.dashboard.test_rgw.RgwBucketTest.test_all (pr#34708, Alfonso Martínez)
  • mgr/dashboard: lint error on plugins/debug.py (pr#34625, Volker Theile)
  • mgr/dashboard: shorten “Container ID” and “Container image ID” in Services page (pr#34648, Volker Theile)
  • mgr/dashboard: use FQDN for failover redirection (pr#34498, Ernesto Puerta)
  • monitoring: Fix pool capacity incorrect (pr#34449, James Cheng)
  • monitoring: alert for prediction of disk and pool fill up broken (pr#34395, Patrick Seidensal)
  • monitoring: fix decimal precision in Grafana %percentages (pr#34828, Ernesto Puerta)
  • monitoring: root volume full alert fires false positives (pr#34418, Patrick Seidensal)
  • qa/suites/rados/cephadm/upgrade: start from v15.2.0 (pr#34440, Sage Weil)
  • qa/tasks/cephadm: add ‘roleless’ mode (pr#34407, Sage Weil)
  • bluestore,core: common/options: Disable bluefs_buffered_io by default again (pr#34353, Mark Nelson)
  • bluestore: os/bluestore: Don’t pollute old journal when add new device (pr#34795, Yang Honggang)
  • bluestore: os/bluestore: fix ‘unused’ calculation (pr#34793, Igor Fedotov, xie xingguo)
  • bluestore: os/bluestore: open DB in read-only when expanding DB/WAL (pr#34610, Adam Kupczyk, Igor Fedotov)
  • build/ops: rpm: add python3-saml as install dependency (pr#34474, Ernesto Puerta)
  • build/ops: rpm: drop “is_opensuse” conditional in SUSE-specific bcond block (pr#34790, Nathan Cutler)
  • build/ops: spec: address some warnings raised by RPM 4.15.1 (pr#34526, Nathan Cutler)
  • cephfs,mgr: mgr/volumes: Add interface to get subvolume metadata (pr#34681, Kotresh HR)
  • cephfs,mgr: mgr: force purge normal ceph entities from service map (issue#44677, pr#34800, Venky Shankar)
  • cephfs,tools: cephfs-journal-tool: correctly parse –dry_run argument (pr#34804, Milind Changire)
  • cephfs,tools: tools/cephfs: add accounted_rstat/rstat when building file dentry (pr#34803, Xiubo Li)
  • cephfs: ceph-fuse: link to libfuse3 and pass -o big_writes to libfuse if libfuse < 3.0.0 (pr#34769, Xiubo Li, “Yan, Zheng”, Kefu Chai)
  • cephfs: client: reset requested_max_size if file write is not wanted (pr#34766, “Yan, Zheng”)
  • cephfs: mds: fix ‘if there is lock cache on dir’ check (pr#34273, “Yan, Zheng”)
  • cephfs: mon/FSCommands: Fix ‘add_data_pool’ command and ‘fs new’ command (pr#34775, Ramana Raja)
  • cephfs: qa: install task runs twice with double unwind causing fatal errors (pr#34912, Patrick Donnelly)
  • core,mon: mon/OSDMonitor: allow trimming maps even if osds are down (pr#34924, Joao Eduardo Luis)
  • core: ceph-object-corpus: update to octopus (pr#34797, Josh Durgin)
  • core: mgr/DaemonServer: fetch metadata for new daemons (e.g., mons) (pr#34416, Sage Weil)
  • core: mon/OSDMonitor: Always tune priority cache manager memory on all mons (pr#34917, Sridhar Seshasayee)
  • core: mon: calculate min_size on osd pool set size (pr#34528, Deepika Upadhyay)
  • core: osd/PeeringState: do not trim pg log past last_update_ondisk (pr#34807, xie xingguo, Samuel Just)
  • core: osd/PrimaryLogPG: fix SPARSE_READ stat (pr#34809, Yan Jun)
  • doc: cephadm: Batch backport April (1) (pr#34554, Matthew Oliver, Sage Weil, Sebastian Wagner, Michael Fritch, Tim, Jeff Layton, Juan Miguel Olmo Martínez, Joshua Schmid)
  • doc: cephadm: Batch backport April (2) (issue#45029, pr#34687, Maran Hidskes, Kiefer Chang, Matthew Oliver, Sebastian Wagner, Andreas Haase, Tim Serong, Zac Dover, Michael Fritch, Joshua Schmid)
  • doc: cephadm: Batch backport April (3) (pr#34742, Sebastian Wagner, Dimitri Savineau, Michael Fritch)
  • doc: cephadm: batch backport March (pr#34438, Jan Fajerski, Sebastian Wagner, Daniel-Pivonka, Michael Fritch, Sage Weil)
  • doc: doc/releases/nautilus: restart OSDs to make them bind to v2 addr (pr#34523, Nathan Cutler)
  • mgr: mgr/PyModule: fix missing tracebacks in handle_pyerror() (pr#34626, Tim Serong)
  • mgr: mgr/telegraf: catch FileNotFoundError exception (pr#34629, Kefu Chai)
  • pybind,rbd: pybind/rbd: ensure image is open before permitting operations (pr#34425, Mykola Golub)
  • pybind,rbd: pybind/rbd: fix no lockers are obtained, ImageNotFound exception will be output (pr#34387, zhangdaolong)
  • rbd,tests: tests: update unmap.t for table spacing changes (pr#34819, Ilya Dryomov)
  • rbd: rbd-mirror: improved replication statistics (pr#34810, Mykola Golub, Jason Dillaman)
  • rbd: rbd: ignore tx-only mirror peers when adding new peers (pr#34638, Jason Dillaman)
  • rgw: radosgw-admin: add support for –bucket-id in bucket stats command (pr#34816, Vikhyat Umrao)
  • rgw: Disable prefetch of entire head object when GET request with range header (pr#34826, Or Friedmann)
  • rgw: pubsub sync module ignores ERR_USER_EXIST (pr#34825, Casey Bodley)
  • rgw: reshard: skip stale bucket id entries from reshard queue (pr#34734, Abhishek Lekshmanan)
  • rgw: use DEFER_DROP_PRIVILEGES flag unconditionally (pr#34731, Casey Bodley)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE