jiachao2130/cvrf2cusa
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d1132d88d2
cvrf2cusa/cvrf/2021/cvrf-openEuler-SA-2021-1317.xml
Jia Chao 0b34274085 git mv 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-25 09:57:37 +08:00

356 lines
35 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
<DocumentTitle xml:lang="en">An update for ceph is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2</DocumentTitle>
<DocumentType>Security Advisory</DocumentType>
<DocumentPublisher Type="Vendor">
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
<IssuingAuthority>openEuler security committee</IssuingAuthority>
</DocumentPublisher>
<DocumentTracking>
<Identification>
<ID>openEuler-SA-2021-1317</ID>
</Identification>
<Status>Final</Status>
<Version>1.0</Version>
<RevisionHistory>
<Revision>
<Number>1.0</Number>
<Date>2021-08-20</Date>
<Description>Initial</Description>
</Revision>
</RevisionHistory>
<InitialReleaseDate>2021-08-20</InitialReleaseDate>
<CurrentReleaseDate>2021-08-20</CurrentReleaseDate>
<Generator>
<Engine>openEuler SA Tool V1.0</Engine>
<Date>2021-08-20</Date>
</Generator>
</DocumentTracking>
<DocumentNotes>
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">ceph security update</Note>
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for ceph is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2.</Note>
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Ceph is a massively scalable, open-source, distributed storage system that runs on commodity hardware and delivers object, block and file system storage.
Security Fix(es):
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. In addition, the prior bug fix for CVE-2020-10753 did not account for the use of \r as a header separator, thus a new flaw has been created.(CVE-2021-3524)
A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.(CVE-2020-1760)
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. Ceph versions 3.x and 4.x are vulnerable to this issue.(CVE-2020-10753)
User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even admin users, compromising the ceph administrator. This flaw affects Ceph versions prior to 14.2.16, 15.x prior to 15.2.8, and 16.x prior to 16.2.0.(CVE-2020-27781)</Note>
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for ceph is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">ceph</Note>
</DocumentNotes>
<DocumentReferences>
<Reference Type="Self">
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1317</URL>
</Reference>
<Reference Type="openEuler CVE">
<URL>https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-3524</URL>
<URL>https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-1760</URL>
<URL>https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-10753</URL>
<URL>https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-27781</URL>
</Reference>
<Reference Type="Other">
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-3524</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2020-1760</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2020-10753</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2020-27781</URL>
</Reference>
</DocumentReferences>
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
<Branch Type="Product Name" Name="openEuler">
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
<FullProductName ProductID="openEuler-20.03-LTS-SP2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">openEuler-20.03-LTS-SP2</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="aarch64">
<FullProductName ProductID="ceph-fuse-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-fuse-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="rados-objclass-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">rados-objclass-devel-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python-rados-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python-rados-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-test-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-test-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-base-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-base-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python3-cephfs-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python3-cephfs-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-debuginfo-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-debuginfo-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python3-rgw-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python3-rgw-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="librbd-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">librbd-devel-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libradosstriper-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libradosstriper-devel-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-resource-agents-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-resource-agents-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python-rgw-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python-rgw-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libcephfs-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libcephfs-devel-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-mgr-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-mgr-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-selinux-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-selinux-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python3-rbd-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python3-rbd-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libradosstriper1-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libradosstriper1-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python3-rados-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python3-rados-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python-rbd-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python-rbd-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="librgw2-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">librgw2-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="librados-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">librados-devel-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python3-ceph-argparse-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python3-ceph-argparse-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="rbd-fuse-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">rbd-fuse-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libcephfs2-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libcephfs2-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="rbd-mirror-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">rbd-mirror-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="librbd1-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">librbd1-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="rbd-nbd-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">rbd-nbd-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python-ceph-compat-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python-ceph-compat-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="librados2-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">librados2-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-radosgw-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-radosgw-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-debugsource-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-debugsource-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python-cephfs-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python-cephfs-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-mon-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-mon-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-common-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-common-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="librgw-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">librgw-devel-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-mds-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-mds-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-osd-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-osd-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="librgw-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">librgw-devel-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python3-ceph-argparse-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python3-ceph-argparse-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="librbd1-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">librbd1-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="librados-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">librados-devel-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-fuse-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-fuse-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-debugsource-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-debugsource-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-selinux-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-selinux-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="rbd-mirror-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">rbd-mirror-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-test-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-test-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-radosgw-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-radosgw-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python-rbd-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python-rbd-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-base-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-base-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python3-rbd-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python3-rbd-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libcephfs2-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libcephfs2-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="librgw2-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">librgw2-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="rados-objclass-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">rados-objclass-devel-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="librados2-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">librados2-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libradosstriper-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libradosstriper-devel-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libradosstriper1-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libradosstriper1-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python3-cephfs-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python3-cephfs-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-osd-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-osd-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python-rgw-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python-rgw-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python-cephfs-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python-cephfs-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-mon-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-mon-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python-ceph-compat-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python-ceph-compat-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python3-rgw-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python3-rgw-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-debuginfo-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-debuginfo-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libcephfs-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libcephfs-devel-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="librbd-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">librbd-devel-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="rbd-nbd-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">rbd-nbd-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-mds-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-mds-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-resource-agents-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-resource-agents-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="rbd-fuse-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">rbd-fuse-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-mgr-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-mgr-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python-rados-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python-rados-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="ceph-common-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-common-12.2.8-15.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python3-rados-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python3-rados-12.2.8-15.oe1.aarch64.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="src">
<FullProductName ProductID="ceph-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-12.2.8-15.oe1.src.rpm</FullProductName>
<FullProductName ProductID="ceph-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-12.2.8-15.oe1.src.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="x86_64">
<FullProductName ProductID="python-cephfs-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python-cephfs-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-base-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-base-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python3-rbd-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python3-rbd-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python3-ceph-argparse-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python3-ceph-argparse-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python3-rados-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python3-rados-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-resource-agents-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-resource-agents-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-mds-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-mds-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-selinux-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-selinux-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-fuse-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-fuse-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python-rados-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python-rados-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python3-cephfs-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python3-cephfs-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libradosstriper1-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libradosstriper1-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-radosgw-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-radosgw-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-osd-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-osd-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libcephfs-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libcephfs-devel-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="librados-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">librados-devel-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-common-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-common-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-mgr-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-mgr-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="rbd-nbd-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">rbd-nbd-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="rbd-fuse-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">rbd-fuse-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="librbd1-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">librbd1-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python-rgw-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python-rgw-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python-rbd-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python-rbd-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="librbd-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">librbd-devel-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="rbd-mirror-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">rbd-mirror-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="rados-objclass-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">rados-objclass-devel-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-mon-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-mon-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python-ceph-compat-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python-ceph-compat-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="librgw2-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">librgw2-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-debuginfo-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-debuginfo-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-debugsource-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-debugsource-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="librados2-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">librados2-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python3-rgw-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python3-rgw-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="librgw-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">librgw-devel-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libradosstriper-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libradosstriper-devel-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libcephfs2-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libcephfs2-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-test-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">ceph-test-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-fuse-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-fuse-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python3-rgw-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python3-rgw-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python3-ceph-argparse-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python3-ceph-argparse-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-mon-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-mon-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-osd-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-osd-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python-cephfs-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python-cephfs-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-radosgw-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-radosgw-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="librgw-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">librgw-devel-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-base-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-base-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="rbd-fuse-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">rbd-fuse-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-resource-agents-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-resource-agents-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-debuginfo-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-debuginfo-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python-rbd-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python-rbd-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python3-rados-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python3-rados-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="librgw2-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">librgw2-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python-rados-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python-rados-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python-ceph-compat-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python-ceph-compat-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-common-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-common-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python-rgw-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python-rgw-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libcephfs-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libcephfs-devel-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="librbd1-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">librbd1-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="rados-objclass-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">rados-objclass-devel-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python3-rbd-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python3-rbd-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="librbd-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">librbd-devel-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="rbd-nbd-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">rbd-nbd-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-mds-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-mds-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-mgr-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-mgr-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-test-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-test-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="librados2-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">librados2-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libradosstriper1-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libradosstriper1-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libcephfs2-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libcephfs2-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="rbd-mirror-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">rbd-mirror-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libradosstriper-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libradosstriper-devel-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="librados-devel-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">librados-devel-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python3-cephfs-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">python3-cephfs-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-selinux-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-selinux-12.2.8-15.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="ceph-debugsource-12.2.8-15" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">ceph-debugsource-12.2.8-15.oe1.x86_64.rpm</FullProductName>
</Branch>
</ProductTree>
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. In addition, the prior bug fix for CVE-2020-10753 did not account for the use of \r as a header separator, thus a new flaw has been created.</Note>
</Notes>
<ReleaseDate>2021-08-20</ReleaseDate>
<CVE>CVE-2021-3524</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Medium</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>6.5</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>ceph security update</Description>
<DATE>2021-08-20</DATE>
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1317</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.</Note>
</Notes>
<ReleaseDate>2021-08-20</ReleaseDate>
<CVE>CVE-2020-1760</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Medium</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>6.1</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>ceph security update</Description>
<DATE>2021-08-20</DATE>
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1317</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="3" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="3" xml:lang="en">A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. Ceph versions 3.x and 4.x are vulnerable to this issue.</Note>
</Notes>
<ReleaseDate>2021-08-20</ReleaseDate>
<CVE>CVE-2020-10753</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Medium</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>6.5</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>ceph security update</Description>
<DATE>2021-08-20</DATE>
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1317</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="4" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="4" xml:lang="en">User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even admin users, compromising the ceph administrator. This flaw affects Ceph versions prior to 14.2.16, 15.x prior to 15.2.8, and 16.x prior to 16.2.0.</Note>
</Notes>
<ReleaseDate>2021-08-20</ReleaseDate>
<CVE>CVE-2020-27781</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>High</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>7.1</BaseScore>
<Vector>AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>ceph security update</Description>
<DATE>2021-08-20</DATE>
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1317</URL>
</Remediation>
</Remediations>
</Vulnerability>
</cvrfdoc>
Reference in New Issue View Git Blame Copy Permalink