#1120797 ceph: CVE-2024-47866

Package:
src:ceph
Source:
src:ceph
Submitter:
Moritz Mühlenhoff
Date:
2026-06-08 20:21:02 UTC
Severity:
normal
Tags:
#1120797#5
Date:
2025-11-16 13:18:22 UTC
From:
To:
Hi,

The following vulnerability was published for ceph.

CVE-2024-47866[0]:
| Ceph is a distributed object, block, and file storage platform. In
| versions up to and including 19.2.3, using the argument `x-amz-copy-
| source` to put an object and specifying an empty string as its
| content leads to the RGW daemon crashing, resulting in a DoS attack.
| As of time of publication, no known patched versions exist.

https://www.openwall.com/lists/oss-security/2025/11/11/3
https://github.com/ceph/ceph/security/advisories/GHSA-mgrm-g92q-f8h8
https://tracker.ceph.com/issues/72669
https://github.com/ceph/ceph/pull/65159
https://github.com/ceph/ceph/commit/bef59f17293e6e93af025eba1e00646d0b1a2bf0


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-47866
https://www.cve.org/CVERecord?id=CVE-2024-47866

Please adjust the affected versions in the BTS as needed.
#1120797#20
Date:
2026-01-05 19:43:19 UTC
From:
To:
Dear maintainer,

I've prepared an NMU for ceph (versioned as 18.2.7+ds-1.1) and uploaded
it to DELAYED/2. Please feel free to tell me if I should cancel it.

cu
Adrian
#1120797#25
Date:
2026-01-07 08:53:55 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
ceph, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1120797@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated ceph package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 05 Jan 2026 20:03:35 +0200
Source: ceph
Architecture: source
Version: 18.2.7+ds-1.1
Distribution: unstable
Urgency: medium
Maintainer: Ceph Packaging Team <team+ceph@tracker.debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1096424 1120797
Changes:
 ceph (18.2.7+ds-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Backport upstream fix for FTBFS with GCC 15. (Closes: #1096424)
   * CVE-2024-47866: RGW DoS attack with empty HTTP header in S3
     object copy. (Closes: #1120797)
Checksums-Sha1:
 3bcdeb90ae32b948bd06e69ca7eb0ec0cb848f0d 8693 ceph_18.2.7+ds-1.1.dsc
 864b2270165d4de4b67ecb613ff53a003ae00ccd 141712 ceph_18.2.7+ds-1.1.debian.tar.xz
Checksums-Sha256:
 b752114a4c7d94ab82a99672239645bb43ac951d72bc1efa94714016514eab68 8693 ceph_18.2.7+ds-1.1.dsc
 21d535b78fbb6b5aa912e63ef216db3b3074206b6f3fbb114be95852dc28a6ac 141712 ceph_18.2.7+ds-1.1.debian.tar.xz
Files:
 4bbf6ba010dc4d6d17537e72f67a9a23 8693 admin optional ceph_18.2.7+ds-1.1.dsc
 fe22e51cf233c4bb4dc93015c6a82ee5 141712 admin optional ceph_18.2.7+ds-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmlcELUACgkQiNJCh6LY
mLHg/BAAqyEaxx9MmfqDx/k6Aa9me6kRRrOxgoEd7Vdb6eTfzgirT6hBNgZ6CYxu
leqpTvv1f0VsoYPLhfAlKp7Um7hiOMKadCJucNjd++G2qK3WENM29BLj4vwNT5xj
567BHXdTXCID3JAmGRE7qXJ8Tf7WUKhPDAuWU6Z27lMzAwmKTWHy03mnsDu3jGvq
pPE2z7bpJeV46HeAYN26G0CRyEAw+hAR+LWAgMlQ0P3YFFoA6TVsqzL5LfZx1+Hi
3I5kZu24GvXKqYZJaj93ZzY69EYpzmQNhdFjJ2nS4FVxRZsJ7JMz84T1xk9dzigT
Y/cQnWr9nvYNnue1JejUkzv2M4Q4OhiAAaS6XbCGKZ8wjYMM7UglCcA88acQyaeM
5doonWfDy/goKMNrHvgAC6e/HcXRJHVrv5kPXm9exeCEK8G3p1i3QRU4LHNjQo6V
DGlsdXarcey9YY/sN5EYYVZR8crvIe8ZDRiBJ83Ssi+YTgpM8cbg78SifeZdc6Oj
lrz2l2XA031W4v9oeM+Qzj9DHZlp+Fqlc92FUGa6sZ0NLwmTi/ZoAqKXZG27YxQV
F+eq9Px5QsrPm46K2J0iLjPridjKu3Rx2IKsgrdnyL6SO0YhFrHKTtXhz+P0j7tY
erE6FB4C7cEb59H6uAvJi856asZ2ivLYNq9pqUdH77Pc7H6lvwE=
=Ej5H
-----END PGP SIGNATURE-----
#1120797#30
Date:
2026-06-08 19:47:39 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
ceph, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1120797@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ceph package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 16 May 2026 14:52:24 +0200
Source: ceph
Architecture: source
Version: 16.2.15+ds-0+deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: Ceph Packaging Team <team+ceph@tracker.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1108410 1120797 1126573
Changes:
 ceph (16.2.15+ds-0+deb12u2) bookworm-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * mgr/alerts: enforce ssl context to SMTP_SSL (CVE-2024-31884)
     (Closes: #1126573)
   * Check if `HTTP_X_AMZ_COPY_SOURCE` header is empty (CVE-2024-47866)
     (Closes: #1120797)
   * client: disallow unprivileged users to escalate root privileges
     (CVE-2025-52555) (Closes: #1108410)
   * client: prohibit unprivileged users from setting sgid/suid bits
Checksums-Sha1:
 fd4bb40347a386f856859029fe32d4af1bfc21c5 8303 ceph_16.2.15+ds-0+deb12u2.dsc
 64dcd07cfa5a90f442fecbaf00f0d80b1e5fb128 122268 ceph_16.2.15+ds-0+deb12u2.debian.tar.xz
 d88337c5765145b9f063e563802b64261517c8cb 7447 ceph_16.2.15+ds-0+deb12u2_source.buildinfo
Checksums-Sha256:
 665b3d321903f15aaacfd628f4532a2c0a8cd3632edfb248c43c4b9c7f084fb6 8303 ceph_16.2.15+ds-0+deb12u2.dsc
 f7bfc23cb70b8567b1b21bcedbcfb963029b13ccd3a598dd967db0d4774da3aa 122268 ceph_16.2.15+ds-0+deb12u2.debian.tar.xz
 ce51201e620bda42ad90c84a6e1e7d9c045eba3decd19bb59f7434e98179ca56 7447 ceph_16.2.15+ds-0+deb12u2_source.buildinfo
Files:
 b36ef720fa43aa291df017055749a482 8303 admin optional ceph_16.2.15+ds-0+deb12u2.dsc
 664c96964795d2a44890db041d167214 122268 admin optional ceph_16.2.15+ds-0+deb12u2.debian.tar.xz
 19e95a9582572847a02fc20e988c6bf9 7447 admin optional ceph_16.2.15+ds-0+deb12u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoJzk9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EmBwQAJX33+4rmUC042IIBgMmmR4yCapG9cJc
1h3YLJO+mmptfwP0svgDPEQIlv23NB1j3EigznpAadiDy9cYUNmcC0lEiLf/eNTS
LYCivlI+znqv60elQ4vJQ6/eHBMvRBLeL9QIPcDc3HAPscq1HeE0vcIIdQOw93dz
bspeoV1A7W0TKjZlBBnkWhY25UGtqc5hpic31kQAaeWxLE4NA11v5OvKti+ll36f
NpKfkc1AQoDURQAvHmfP8nKdqQF013VmhwlLYlJe0bZEfrUIZW09h6Z1rSua7i+W
H07MhVnqrip/D1TuImqNkdFsPkMNmzz0MIuoJf/SkOQN+PmA46OYblPTXzirL4xM
xtoOofgEhavlJz6o8XBdyeKKKikvMROHdjyTV9Jypyd+q6YOE7Wag/isnvdH0OeK
9ELdG+HDleZN2RamRuA4Vhu3zrifZ3nobGkyPUgcQxIGutGe7nPvIsPXOgV2yBdz
7p8lVwMcp+dlz4EjvtKrsxXqDooasI/hQJH4MwzH9Im7lhnKUxv6F8kVrhAH7rL0
ealVKPgZ/vHe3yGjvbwnzf6DRSioRZnWUIRdq0fEjQi/urkuyhZ2w9Wjsb0BtfVu
VRNh1QJ6fQ03ynJDIaW6iPRi0hpRafoIbU6luNHX78w5330fV1HfOw6EijTDKSWr
G3gF4vEDQZht
=BTqN
-----END PGP SIGNATURE-----
#1120797#35
Date:
2026-06-08 20:20:15 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
ceph, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1120797@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ceph package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 10 May 2026 21:17:37 +0200
Source: ceph
Architecture: source
Version: 18.2.7+ds-1+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Ceph Packaging Team <team+ceph@tracker.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1120797 1126573
Changes:
 ceph (18.2.7+ds-1+deb13u1) trixie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * mgr/alerts: enforce ssl context to SMTP_SSL (CVE-2024-31884)
     (Closes: #1126573)
   * Check if `HTTP_X_AMZ_COPY_SOURCE` header is empty (CVE-2024-47866)
     (Closes: #1120797)
Checksums-Sha1:
 50da72bc51258f76a8a47ee834a203364ba38677 8870 ceph_18.2.7+ds-1+deb13u1.dsc
 452fe1267ab61f81bf3d4111767964dd8a44a57a 148306992 ceph_18.2.7+ds.orig.tar.xz
 479a26deb7955855b0c412a4b70d3a3c5424ded5 141944 ceph_18.2.7+ds-1+deb13u1.debian.tar.xz
 d11130885dfc400cdb3ddd31eeb04982a3876795 8045 ceph_18.2.7+ds-1+deb13u1_source.buildinfo
Checksums-Sha256:
 97a25e3d292c8004e5b7e98307d3f178583f61e5840354638b420a12114b5e8d 8870 ceph_18.2.7+ds-1+deb13u1.dsc
 71c0795fa0d6312ec7b57dee4031559b7e62e086a78e6ae1ad8549e0b351e28f 148306992 ceph_18.2.7+ds.orig.tar.xz
 968e551356cb2ee212da405409b32f61545d9e43306fca5a0a1e5d2988c2844f 141944 ceph_18.2.7+ds-1+deb13u1.debian.tar.xz
 7a9beb522c890179dfb98400372478cbcb785ac74558267fe56a8e024d10c5d1 8045 ceph_18.2.7+ds-1+deb13u1_source.buildinfo
Files:
 ee9a9467628342aa95f5890ef466078b 8870 admin optional ceph_18.2.7+ds-1+deb13u1.dsc
 2788cb630bf061763d893e4fea8c23a0 148306992 admin optional ceph_18.2.7+ds.orig.tar.xz
 f4e74b2970c6bcf95bff30edbf5ca06d 141944 admin optional ceph_18.2.7+ds-1+deb13u1.debian.tar.xz
 2123d25828edb4450022730feae7b509 8045 admin optional ceph_18.2.7+ds-1+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoJziNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EqoIP/RZbkNPMzW8T+9eNNvv4rMzIPmuGN+Z0
ZAv/xAPEuwTb6cjKnARIIwqmyagdRHQIlN4Za2k6vfYPA+VHfMIMqVjwvDiZgmsh
HUh8wh9WBjmgawWnucONXf4ssuUIISZ/SK75AhQzkFHIX575djir3OdMz5DWLMet
YJBxP1m9Vgp+3jTyQ+Oq7ZZZf5i7Zlm9JrFfU/R2+Hw3yVRG/kXuTN1kvBHSI2hK
qlkX11wKmoMxtcp6hfv2KzOS49UWh40vf+145Bxf3yzq0ijmBlfpDRAQbOWfW9eC
Z1iB+8jSFxi3wa5bX3eWMqIgmddp9EzODo7fr6Je5gSBlGXXahwxUY71YFdSWmQw
Z+rILxBujYTStpHgcd5DRiPuOUTDis7d6uExOZXkIa4QPP7zIiTebCU7IbQK/Dwp
gXYRUzHMlaAn8EVE3DIkepmbvhCrGS8to+z4JEsWofGRpHY3VnJ6ym4KVfiJ36z1
dynGKsEZyDFd8F5VdUuWVamtPvrDv0FbAfxOY9lxbfXMR9wwjNGwm9SZtCbux0Iu
jdHDQv3gFYL82wlKaMQ0GtL+51Q/7D5WpxfKwJVPgR4pGVnu203JqxfeVhuDyhkO
gHbtXH4bMV+xVkpmIwkSkeKkFNUG2crDscXVWfHEefhN9emJ1mzlj4gm5EPUbW2Y
gVqIwVG1sJVh
=TGrf
-----END PGP SIGNATURE-----