SUSE-SU-2016:0806-1: moderate: Security update for ceph

Thu Mar 17 12:12:21 MDT 2016

   SUSE Security Update: Security update for ceph
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:0806-1
Rating:             moderate
References:         #926756 #931451 #941628 #945206 #964907 #965619 

Cross-References:   CVE-2015-5245
Affected Products:
                    SUSE Enterprise Storage 1.0
______________________________________________________________________________

   An update that solves one vulnerability and has 5 fixes is
   now available.

Description:

   This update provides Ceph 0.8.11, which fixes the following security issue:

   - CVE-2015-5245: A CRLF injection vulnerability in the Ceph Object Gateway
     (aka radosgw
     or RGW) could allow remote attackers to inject arbitrary HTTP headers
      and conduct HTTP response splitting attacks via a crafted bucket name.
      (bsc#945206)

   The following non-security issues have been fixed:

   - Move ceph-rbdnamer binary from package "ceph" to "ceph-common".
     (bsc#965619)
   - Install /usr/bin/radosgw with mode 0750 and owner root:www. (bsc#964907)
   - Loop over all ceph-related systemd units on rpm removal. (bsc#941628)
   - Perform ceph-disk activate in separate systemd services, rather than in
     udev directly. (bsc#926756)
   - Add hyphen to systemctl reload in logrotate.conf to avoid matching
     ceph.target. (bsc#931451)

   Ceph 0.8.11 also brings a significant number of bug fixes and
   enhancements. For a comprehensive list please refer to the package's
   change log.

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Enterprise Storage 1.0:

      zypper in -t patch SUSE-Storage-1.0-2016-473=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Enterprise Storage 1.0 (x86_64):

      ceph-0.80.11-8.1
      ceph-common-0.80.11-8.1
      ceph-common-debuginfo-0.80.11-8.1
      ceph-debuginfo-0.80.11-8.1
      ceph-debugsource-0.80.11-8.1
      ceph-fuse-0.80.11-8.1
      ceph-fuse-debuginfo-0.80.11-8.1
      ceph-radosgw-0.80.11-8.1
      ceph-radosgw-debuginfo-0.80.11-8.1
      ceph-test-0.80.11-8.1
      ceph-test-debuginfo-0.80.11-8.1
      libcephfs1-0.80.11-8.1
      libcephfs1-debuginfo-0.80.11-8.1
      librados2-0.80.11-8.1
      librados2-debuginfo-0.80.11-8.1
      librbd1-0.80.11-8.1
      librbd1-debuginfo-0.80.11-8.1
      python-ceph-0.80.11-8.1
      rbd-fuse-0.80.11-8.1
      rbd-fuse-debuginfo-0.80.11-8.1

References:

   https://www.suse.com/security/cve/CVE-2015-5245.html
   https://bugzilla.suse.com/926756
   https://bugzilla.suse.com/931451
   https://bugzilla.suse.com/941628
   https://bugzilla.suse.com/945206
   https://bugzilla.suse.com/964907
   https://bugzilla.suse.com/965619