ceph (14.2.21-1+deb11u1) bullseye-security; urgency=medium

ceph (14.2.21-1+deb11u1) bullseye-security; urgency=medium

  [ Thomas Goirand ]

  * CVE-2022-3650: privilege escalation from the ceph user to root. Applied
    upstream patches (Closes: #1024932).

  [ Bastien Roucariès ]
  * CVE-2021-3979:
    A key length flaw was found. An attacker can exploit the
    fact that the key length is incorrectly passed in an
    encryption algorithm to create a non random key,
    which is weaker and can be exploited for loss of
    confidentiality and integrity on encrypted disks.
  * CVE-2023-43040 rgw: Fix bucket validation against POST policies
    (Closes: #1053690)
  * CVE-2025-52555: an unprivileged user can escalate to root
    privileges in a ceph-fuse mounted CephFS by chmod 777
    a directory owned by root to gain access. The result
    of this is that a user could read, write and execute
    to any directory owned by root as long as they chmod
    777 it. This impacts confidentiality, integrity, and availability.
    (Closes: #1108410)

[dgit import unpatched ceph 14.2.21-1+deb11u1]