CVE-2016-7031

Priority
Medium
Description
The RGW code in Ceph before 10.0.1, when authenticated-read ACL is applied
to a bucket, allows remote attackers to list the bucket contents via a URL.
References
Bugs
Notes
 tyhicks> Fix present in 11.0.0, 10.1.0, and 10.0.1
 tyhicks> Rados gateway code in Ubuntu 12.04 is significantly different. At
  this time, I'm not sure if it affected.
Assigned-to
mdeslaur
Package
Source: ceph (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):not-affected (10.2.2-0ubuntu5)
Ubuntu 12.04 ESM (Precise Pangolin):needs-triage
Ubuntu 14.04 LTS (Trusty Tahr):released (0.80.11-0ubuntu1.14.04.3)
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (10.2.2-0ubuntu0.16.04.2)
Ubuntu 17.04 (Zesty Zapus):not-affected (10.2.2-0ubuntu5)
Patches:
Upstream:https://github.com/ceph/ceph/commit/97bf0bcf02917fd772fbef73bb68e155feb84c1b
Upstream:https://github.com/ceph/ceph/commit/9ad73698f57598ae1302aaf175cb96082eb64961
Upstream:https://github.com/ceph/ceph/pull/6057
Upstream:https://github.com/ceph/ceph/pull/11045
More Information

Updated: 2017-10-11 14:14:19 UTC (commit 13496)