CVE-2019-10222

NameCVE-2019-10222
DescriptionA flaw was found in the Ceph RGW configuration with Beast as the front end handling client requests. An unauthenticated attacker could crash the Ceph RGW server by sending valid HTTP headers and terminating the connection, resulting in a remote denial of service for Ceph RGW clients.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3629-1
Debian Bugs936015

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ceph (PTS)jessie, jessie (lts)0.80.7-2+deb8u6fixed
stretch (security)10.2.11-2+deb9u1fixed
stretch (lts), stretch10.2.11-2+deb9u2fixed
buster (security), buster, buster (lts)12.2.11+dfsg1-2.1+deb10u1fixed
bullseye14.2.21-1fixed
bookworm16.2.11+ds-2fixed
trixie18.2.4+ds-9fixed
sid18.2.4+ds-10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cephsourcewheezy(unfixed)end-of-life
cephsourcejessie(not affected)
cephsourcestretch(not affected)
cephsourcebuster12.2.11+dfsg1-2.1+deb10u1DLA-3629-1
cephsource(unstable)14.2.4-1936015

Notes

[stretch] - ceph <not-affected> (Vulnerable code not present)
[jessie] - ceph <not-affected> (Vulnerable code not present)
https://www.openwall.com/lists/oss-security/2019/08/28/9
https://github.com/ceph/ceph/pull/29967
https://github.com/ceph/ceph/commit/6171399fdedd928b4249d135b4036e3de25079aa
12.2.x installations only affected by the vulnerability if experimental
features are enabled.

Search for package or bug name: Reporting problems