Debian alert DLA-4460-1 (ceph)
| From: | Utkarsh Gupta <utkarsh@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4460-1] ceph security update | |
| Date: | Sun, 01 Feb 2026 04:11:37 +0530 | |
| Message-ID: | <CAPP0f96+r5S5k8Z7_BiJGcOpPUdL6Heq3evjnaA+9PMUu7mdpw@mail.gmail.com> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ----------------------------------------------------------------------- Debian LTS Advisory DLA-4460-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta February 01, 2026 https://wiki.debian.org/LTS - ----------------------------------------------------------------------- Package : ceph Version : 14.2.21-1+deb11u2 CVE ID : CVE-2022-0670 CVE-2024-47866 Debian Bug : 1016069 1120797 Ceph is a distributed object, block, and file storage platform. CVE-2022-0670 A flaw was found in Openstack manilla owning a Ceph File system "share", which enables the owner to read/write any manilla share or entire file system. The vulnerability is due to a bug in the "volumes" plugin in Ceph Manager. This allows an attacker to compromise confidentiality and integrity of a file system. CVE-2024-47866 Using the argument `x-amz-copy-source` to put an object and specifying an empty string as its content leads to the RGW daemon crashing, resulting in a DoS attack. For Debian 11 bullseye, these problems have been fixed in version 14.2.21-1+deb11u2. We recommend that you upgrade your ceph packages. For the detailed security status of ceph please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ceph Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAml+hRQACgkQgj6WdgbD S5Z9exAA1WuahOrFn3sk5yIJGWr1dT4uoJDk0n60tEb1eJHNjOdXvdvV3NpZ86FV tN2uaaSQhcMVVdsvvqcB2Kn+2OtZo06NPk/jWeN5R2EV9h4YiEnaBMwCSoaRfY/X 8JbA5JwnqgoL2sYBkU/bS36S7GnaIZODsGkEf58C4RTETCxHgjgJ5UhTuIwHPnLb TmlAhVBIMZeuevEIgtfAYJR8CpYbdp8JjXNJ6QB/YDQcIeOad2oCoBkSoFSxnm+O HA1JeKfRfxtnYH1UrjkQJCOm+NagkbCrc5vq9XgVnDArzB3zH73uEGNTsia7sRmb 4dhFtj+mdYaNrhbRoXntlsgSXG1eL549Ha5J8oCNQa/zsF+l3I0eIycWmH9imX6F gCAU05YmM+fC7gaHnwhwENWChTk3OIqUOcsQCyT6UuCWCTs1OfWx97VTOvlGJ5sh 3ulzoweaTQZgWnqDUG/EoTcsHQA0hdTYHLPenr30IEC1/yWbegLaLnvnbHifm/7Y O81F5XSruxpjlt7aePXaCLXIGDwVf9I9C+RASUtR4vfsM+xpyVvV+HTq1Ptg6lSy zP3WU+WIaCkc28TYYrCMK5XaXLrTy1ukUpsQ9FSP8PGLx6z6VGyYJxSMZIUrey8B EBB6M219WGoeAMtpD7HCch/PxkTlMh1oa+leVgSjMqjzkqY2dS8= =iCFW -----END PGP SIGNATURE-----