[SRU] ceph 16.2.4

Bug #1928645 reported by James Page
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
Status tracked in Xena
Wallaby
High
Unassigned
Xena
High
Unassigned
ceph (Ubuntu)
Status tracked in Impish
Hirsute
High
Unassigned
Impish
High
Unassigned

Bug Description

[Impact]
This release fixes several bugs. We would like to make sure all of our users have access to these improvements.

The update contains the following package updates:

   * ceph 16.2.4

[Test Case]
The following SRU process was followed:

https://wiki.ubuntu.com/OpenStackUpdates

In order to avoid regression of existing users, the OpenStack team will run their continuous integration test against the packages that are in -proposed. A successful run of all available tests will be required before the proposed packages can be let into -updates.

The OpenStack team will be in charge of attaching the output summary of the executed tests. The OpenStack team members will not mark ‘verification-done’ until this has happened.

[Regression Potential]
In order to mitigate the regression potential, the results of the
aforementioned tests are attached to this bug.

CVE References

James Page (james-page)
Changed in ceph (Ubuntu Impish):
importance: Undecided → High
Changed in ceph (Ubuntu Hirsute):
importance: Undecided → High
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ceph - 16.2.4-0ubuntu1

---------------
ceph (16.2.4-0ubuntu1) impish; urgency=medium

  * d/rules,control: Enable new crimson-osd package and provide
    seastar based crimson-osd binary.
  * SECURITY UPDATE: New upstream release (LP: #1928645):
    - CVE-2021-3509: Dashboard XSS via token cookie.
    - CVE-2021-3531: Swift API denial of service.
    - CVE-2021-3531: HTTP header injects via CORS in RGW.
    - d/p/bug1925347.patch: Drop, included in release.

 -- James Page <email address hidden> Tue, 25 May 2021 09:14:52 +0100

Changed in ceph (Ubuntu Impish):
status: New → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello James, or anyone else affected,

Accepted ceph into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ceph/16.2.4-0ubuntu0.21.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ceph (Ubuntu Hirsute):
status: New → Fix Committed
tags: added: verification-needed verification-needed-hirsute
Revision history for this message
Corey Bryant (corey.bryant) wrote :

Hello James, or anyone else affected,

Accepted ceph into wallaby-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:wallaby-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-wallaby-needed to verification-wallaby-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-wallaby-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-wallaby-needed
Changed in cloud-archive:
status: New → Fix Committed
Revision history for this message
James Page (james-page) wrote :

hirsute/proposed

11:49:44 ======
11:49:44 Totals
11:49:44 ======
11:49:44 Ran: 97 tests in 1086.0442 sec.
11:49:44 - Passed: 89
11:49:44 - Skipped: 8
11:49:44 - Expected Fail: 0
11:49:44 - Unexpected Success: 0
11:49:44 - Failed: 0
11:49:44 Sum of execute time for each test: 877.6001 sec.

tags: added: verification-done verification-done-hirsute
removed: verification-needed verification-needed-hirsute
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ceph - 16.2.4-0ubuntu0.21.04.1

---------------
ceph (16.2.4-0ubuntu0.21.04.1) hirsute; urgency=medium

  [ Chris MacNaughton ]
  * d/ceph-base.install: Remove ceph-deploy man page installation
    (LP: #1892448).

  [ James Page ]
  * SECURITY UPDATE: New upstream release (LP: #1928645):
    - CVE-2021-3509: Dashboard XSS via token cookie.
    - CVE-2021-3531: Swift API denial of service.
    - CVE-2021-3531: HTTP header injects via CORS in RGW.
    - d/p/bug1925347.patch: Drop, included in release.

 -- James Page <email address hidden> Thu, 27 May 2021 06:18:16 +0100

Changed in ceph (Ubuntu Hirsute):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for ceph has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
James Page (james-page) wrote :

focal-wallaby/proposed

12:19:51 ======
12:19:51 Totals
12:19:51 ======
12:19:51 Ran: 97 tests in 1995.5448 sec.
12:19:51 - Passed: 89
12:19:51 - Skipped: 8
12:19:51 - Expected Fail: 0
12:19:51 - Unexpected Success: 0
12:19:51 - Failed: 0
12:19:51 Sum of execute time for each test: 1476.2292 sec.

tags: added: verification-wallaby-done
removed: verification-wallaby-needed
Revision history for this message
James Page (james-page) wrote :

This bug was fixed in the package ceph - 16.2.4-0ubuntu0.21.04.1~cloud0
---------------

 ceph (16.2.4-0ubuntu0.21.04.1~cloud0) focal-wallaby; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 ceph (16.2.4-0ubuntu0.21.04.1) hirsute; urgency=medium
 .
   [ Chris MacNaughton ]
   * d/ceph-base.install: Remove ceph-deploy man page installation
     (LP: #1892448).
 .
   [ James Page ]
   * SECURITY UPDATE: New upstream release (LP: #1928645):
     - CVE-2021-3509: Dashboard XSS via token cookie.
     - CVE-2021-3531: Swift API denial of service.
     - CVE-2021-3531: HTTP header injects via CORS in RGW.
     - d/p/bug1925347.patch: Drop, included in release.

Changed in cloud-archive:
status: Fix Committed → Fix Released
Revision history for this message
James Page (james-page) wrote :

This bug was fixed in the package ceph - 16.2.4-0ubuntu2~cloud0
---------------

 ceph (16.2.4-0ubuntu2~cloud0) focal-xena; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 ceph (16.2.4-0ubuntu2) impish; urgency=medium
 .
   * No-change rebuild due to OpenLDAP soname bump.
 .
 ceph (16.2.4-0ubuntu1) impish; urgency=medium
 .
   * d/rules,control: Enable new crimson-osd package and provide
     seastar based crimson-osd binary.
   * SECURITY UPDATE: New upstream release (LP: #1928645):
     - CVE-2021-3509: Dashboard XSS via token cookie.
     - CVE-2021-3531: Swift API denial of service.
     - CVE-2021-3531: HTTP header injects via CORS in RGW.
     - d/p/bug1925347.patch: Drop, included in release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers