From 19fcec84d8d7d21e796c7624e521b60d28ee21ed Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 20:45:59 +0200
Subject: Adding upstream version 16.2.11+ds.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 doc/security/CVE-2021-3524.rst | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 doc/security/CVE-2021-3524.rst

(limited to 'doc/security/CVE-2021-3524.rst')

diff --git a/doc/security/CVE-2021-3524.rst b/doc/security/CVE-2021-3524.rst
new file mode 100644
index 000000000..4d627c071
--- /dev/null
+++ b/doc/security/CVE-2021-3524.rst
@@ -0,0 +1,30 @@
+.. _CVE-2021-3524:
+
+CVE-2021-3524: HTTP header injects via CORS in RGW
+==================================================
+
+* `NIST information page <https://nvd.nist.gov/vuln/detail/CVE-2021-3524>`_
+
+A flaw was found in the radosgw.  The vulnerability is related to the
+injection of HTTP headers via a CORS ExposeHeader tag. The \r
+character in the ExposeHeader tag in the CORS configuration file
+generates a header injection in the response when the CORS request is
+made.
+
+Fixed versions
+--------------
+
+* Pacific v16.2.4 (and later)
+* Octopus v15.2.12 (and later)
+* Nautilus v14.2.21 (and later)
+
+Recommendations
+---------------
+
+All users of Ceph object storage (RGW) should upgrade.
+
+Acknowledgements
+----------------
+
+Red Hat would like to thank Sergey Bobrov (Kaspersky) for reporting this issue.
+
-- 
cgit v1.2.3