Name | CVE-2019-10222 |
Description | A flaw was found in the Ceph RGW configuration with Beast as the front end handling client requests. An unauthenticated attacker could crash the Ceph RGW server by sending valid HTTP headers and terminating the connection, resulting in a remote denial of service for Ceph RGW clients. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-3629-1 |
Debian Bugs | 936015 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
ceph (PTS) | jessie, jessie (lts) | 0.80.7-2+deb8u6 | fixed |
| stretch (security) | 10.2.11-2+deb9u1 | fixed |
| stretch (lts), stretch | 10.2.11-2+deb9u2 | fixed |
| buster (security), buster, buster (lts) | 12.2.11+dfsg1-2.1+deb10u1 | fixed |
| bullseye | 14.2.21-1 | fixed |
| bookworm | 16.2.11+ds-2 | fixed |
| trixie | 18.2.4+ds-9 | fixed |
| sid | 18.2.4+ds-10 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|
ceph | source | wheezy | (unfixed) | end-of-life | | |
ceph | source | jessie | (not affected) | | | |
ceph | source | stretch | (not affected) | | | |
ceph | source | buster | 12.2.11+dfsg1-2.1+deb10u1 | | DLA-3629-1 | |
ceph | source | (unstable) | 14.2.4-1 | | | 936015 |
Notes
[stretch] - ceph <not-affected> (Vulnerable code not present)
[jessie] - ceph <not-affected> (Vulnerable code not present)
https://www.openwall.com/lists/oss-security/2019/08/28/9
https://github.com/ceph/ceph/pull/29967
https://github.com/ceph/ceph/commit/6171399fdedd928b4249d135b4036e3de25079aa
12.2.x installations only affected by the vulnerability if experimental
features are enabled.