SUSE-SU-2018:1576-1: important: Security update for ceph

Thu Jun 7 10:20:01 MDT 2018

   SUSE Security Update: Security update for ceph
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:1576-1
Rating:             important
References:         #1070357 #1071386 #1074301 #1079076 #1080788 
                    #1081379 #1081600 #1086340 #1087269 #1087493 

Cross-References:   CVE-2018-7262
Affected Products:
                    SUSE Enterprise Storage 5
______________________________________________________________________________

   An update that solves one vulnerability and has 9 fixes is
   now available.

Description:

   This update for ceph to 12.2.5-407-g5e7ea8cf03 fixes the following issues:

   Security issue fixed:

   - CVE-2018-7262: The rgw_civetweb.cc RGWCivetWeb::init_env function in
     radosgw doesn't handle malformed HTTP headers properly, allowing for
     denial of service. rgw: make init env methods return an error
     (bsc#1081379)

   Other issues fixed:

   - osd: do not crash on empty snapset (bsc#1074301)
   - mon: add 'ceph osd pool get erasure allow_ec_overwrites' command
     (bsc#1087269)
   - journal: limit number of appends sent in one librados op (bsc#1086340)
   - RGW user stats fixes (bsc#1087493)
   - rgw openssl fixes (bsc#1079076, bsc#1081379)
   - rocksdb: fixes early metadata spill over to slow device in bluefs
     (bsc#1071386)
   - mon: reenable timer to send digest when paxos is temporarily inactive
     (bsc#1070357)
   - fsid mismatch when creating additional OSDs (bsc#1080788)
   - crash in civetweb/RGW (bsc#1081600)

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Enterprise Storage 5:

      zypper in -t patch SUSE-Storage-5-2018-1092=1

Package List:

   - SUSE Enterprise Storage 5 (aarch64 x86_64):

      ceph-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-base-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-base-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-common-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-common-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-debugsource-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-fuse-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-fuse-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-mds-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-mds-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-mgr-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-mgr-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-mon-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-mon-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-osd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-osd-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-radosgw-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      ceph-radosgw-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      libcephfs2-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      libcephfs2-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      librados2-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      librados2-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      libradosstriper1-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      libradosstriper1-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      librbd1-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      librbd1-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      librgw2-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      librgw2-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python-ceph-compat-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python-cephfs-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python-cephfs-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python-rados-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python-rados-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python-rbd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python-rbd-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python-rgw-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python-rgw-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python3-ceph-argparse-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python3-cephfs-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python3-cephfs-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python3-rados-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python3-rados-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python3-rbd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python3-rbd-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python3-rgw-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      python3-rgw-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      rbd-fuse-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      rbd-fuse-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      rbd-mirror-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      rbd-mirror-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      rbd-nbd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
      rbd-nbd-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3

References:

   https://www.suse.com/security/cve/CVE-2018-7262.html
   https://bugzilla.suse.com/1070357
   https://bugzilla.suse.com/1071386
   https://bugzilla.suse.com/1074301
   https://bugzilla.suse.com/1079076
   https://bugzilla.suse.com/1080788
   https://bugzilla.suse.com/1081379
   https://bugzilla.suse.com/1081600
   https://bugzilla.suse.com/1086340
   https://bugzilla.suse.com/1087269
   https://bugzilla.suse.com/1087493