ELA-1000-1 ceph security update
Package : ceph
Version : 0.80.7-2+deb8u6 (jessie), 10.2.11-2+deb9u2 (stretch)
Related CVEs :
A flaw was found in Ceph RGW component. An unprivileged user can write to any bucket(s) accessible by a given key if a POST’s form-data contains a key called “bucket” with a value matching the name of the bucket used to sign the request. The result of this is that a user could actually upload to any bucket accessible by the specified access key as long as the bucket in the POST policy matches the bucket in said POST form part.
A ceph security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address a flaw was found in Ceph RGW component.