SUSE-SU-2015:1102-1: moderate: Security update for SES 1.0

Tue Jun 23 07:59:49 MDT 2015

   SUSE Security Update: Security update for SES 1.0
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:1102-1
Rating:             moderate
References:         #889053 #903007 #907510 #915567 #915783 #919091 
                    #919313 #919965 #920926 #924269 #924894 #927862 
                    #929553 #929886 #929914 
Cross-References:   CVE-2014-3589 CVE-2014-3598 CVE-2015-3010

Affected Products:
                    SUSE Enterprise Storage 1.0
______________________________________________________________________________

   An update that solves three vulnerabilities and has 12
   fixes is now available.

Description:

   This collective update for SUSE Enterprise Storage 1.0 provides fixes and
   enhancements.

   ceph (update to version 0.80.9):

   - Support non-ASCII characters. (bnc#907510)
   - Fixes issue with more than one OSD / MON on same node. (bnc#927862)
   - Reinstates Environment=CLUSTER=ceph lines removed by last patch.
     (bnc#915567)
   - Use same systemd service files for all cluster names. (bnc#915567)
   - In OSDMonitor fallback to json-pretty in case of invalid formatter.
     (bnc#919313)
   - Increase max files to 131072 for ceph-osd daemon. (bnc#924894)
   - Fix "OSDs shutdown during rados benchmark tests". (bnc#924269)
   - Add SuSEfirewall2 service files for Ceph MON, OSD and MDS. (bnc#919091)
   - Added support for multiple cluster names with systemd to ceph-disk.
     (bnc#915567)
   - Move udev rules for rbd devices to the client package ceph-common.
   - Several issues reported upstream have been fixed: #9973 #9918 #9907
     #9877 #9854 #9587 #9479 #9478 #9254 #5595 #10978 #10965 #10907 #10553
     #10471 #10421 #10307 #10299 #10271 #10271 #10270 #10262 #10103 #10095.

   ceph-deploy:

   - Drop support for multiple customer names on the same hardware.
     (bsc#915567)
   - Check for errors when generating rgw keys. (bsc#915783)
   - Do not import new repository keys automatically when installing packages
     with Zypper. (bsc#919965)
   - Improved detection of disk vs. OSD block devices with a simple set of
     tests. (bsc#889053)
   - Do not create keyring files as world-readable. (bsc#920926,
     CVE-2015-3010)
   - Added support for multiple cluster names with systemd to ceph-disk.
     (bnc#915567)

   calamari-clients:

   - Reduce krakenFailThreshold to 5 minutes. (bsc#903007)

   python-Pillow (update to version 2.7.0):

   - Fix issues in Jpeg2KImagePlugin and IcnsImagePlugin which could have
     allowed denial of service attacks. (CVE-2014-3598, CVE-2014-3589)

   python-djangorestframework:

   - Escape URLs when replacing format= query parameter, as used in dropdown
     on GET button in browsable API to allow explicit selection of JSON vs
      HTML output. (bsc#929914)
   - Escape request path when it is include as part of the login and logout
     links in the browsable API. (bsc#929886)

   For a comprehensive list of changes please refer to each package's change
   log.

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Enterprise Storage 1.0:

      zypper in -t patch SUSE-Storage-1.0-2015-250=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Enterprise Storage 1.0 (x86_64):

      ceph-0.80.9-5.1
      ceph-common-0.80.9-5.1
      ceph-common-debuginfo-0.80.9-5.1
      ceph-debuginfo-0.80.9-5.1
      ceph-debugsource-0.80.9-5.1
      ceph-fuse-0.80.9-5.1
      ceph-fuse-debuginfo-0.80.9-5.1
      ceph-radosgw-0.80.9-5.1
      ceph-radosgw-debuginfo-0.80.9-5.1
      ceph-test-0.80.9-5.1
      ceph-test-debuginfo-0.80.9-5.1
      libcephfs1-0.80.9-5.1
      libcephfs1-debuginfo-0.80.9-5.1
      librados2-0.80.9-5.1
      librados2-debuginfo-0.80.9-5.1
      librbd1-0.80.9-5.1
      librbd1-debuginfo-0.80.9-5.1
      python-Pillow-2.7.0-4.1
      python-Pillow-debuginfo-2.7.0-4.1
      python-Pillow-debugsource-2.7.0-4.1
      python-ceph-0.80.9-5.1
      rbd-fuse-0.80.9-5.1
      rbd-fuse-debuginfo-0.80.9-5.1

   - SUSE Enterprise Storage 1.0 (noarch):

      calamari-clients-1.2.2+git.1428648634.40dfe5b-3.1
      ceph-deploy-1.5.19+git.1431355031.6178cf3-9.1
      python-djangorestframework-2.3.12-4.2

References:

   https://www.suse.com/security/cve/CVE-2014-3589.html
   https://www.suse.com/security/cve/CVE-2014-3598.html
   https://www.suse.com/security/cve/CVE-2015-3010.html
   https://bugzilla.suse.com/889053
   https://bugzilla.suse.com/903007
   https://bugzilla.suse.com/907510
   https://bugzilla.suse.com/915567
   https://bugzilla.suse.com/915783
   https://bugzilla.suse.com/919091
   https://bugzilla.suse.com/919313
   https://bugzilla.suse.com/919965
   https://bugzilla.suse.com/920926
   https://bugzilla.suse.com/924269
   https://bugzilla.suse.com/924894
   https://bugzilla.suse.com/927862
   https://bugzilla.suse.com/929553
   https://bugzilla.suse.com/929886
   https://bugzilla.suse.com/929914