CVE-2019-10222

NameCVE-2019-10222
DescriptionA flaw was found in the Ceph RGW configuration with Beast as the front end handling client requests. An unauthenticated attacker could crash the Ceph RGW server by sending valid HTTP headers and terminating the connection, resulting in a remote denial of service for Ceph RGW clients.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs936015

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ceph (PTS)jessie0.80.7-2+deb8u2fixed
jessie (security)0.80.7-2+deb8u3fixed
stretch (security), stretch10.2.11-2fixed
bullseye, sid, buster12.2.11+dfsg1-2.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cephsource(unstable)(unfixed)936015
cephsourcejessie(not affected)
cephsourcestretch(not affected)

Notes

[buster] - ceph <no-dsa> (Minor issue; only triggerable if experimental feature enabled)
[stretch] - ceph <not-affected> (Vulnerable code not present)
[jessie] - ceph <not-affected> (Vulnerable code not present)
https://www.openwall.com/lists/oss-security/2019/08/28/9
https://github.com/ceph/ceph/pull/29967
https://github.com/ceph/ceph/commit/6171399fdedd928b4249d135b4036e3de25079aa
12.2.x installations only affected by the vulnerability if experimental
features are enabled.

Search for package or bug name: Reporting problems