SUSE-CU-2020:34-1: Security update of ses/6/ceph/ceph

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Sat Feb 1 01:37:26 MST 2020


SUSE Container Update Advisory: ses/6/ceph/ceph
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:34-1
Container Tags        : ses/6/ceph/ceph:14.2.5.380 , ses/6/ceph/ceph:14.2.5.380.1.5.100 , ses/6/ceph/ceph:latest
Container Release     : 1.5.100
Severity              : important
Type                  : security
References            : 1007715 1027282 1029377 1029902 1040164 1042670 1070853 1079761
                        1081750 1083507 1084934 1086001 1088004 1088009 1088573 1093414
                        1094814 1107030 1109663 1109847 1114592 1120644 1122191 1123919
                        1124556 1129346 1130840 1131817 1132337 1133452 1134365 1135254
                        1137131 1137132 1137227 1137942 1138459 1140504 1140601 1140879
                        1141203 1141322 1141853 1141897 1142152 1142649 1142654 1145231
                        1145554 1145571 1145756 1146415 1146475 1148360 1148498 1148517
                        1148987 1149121 1149145 1149203 1149511 1149792 1149955 1150734
                        1151490 1152755 1153238 1153351 1153876 1154230 1154295 1154871
                        1154884 1154887 1155045 1155199 1155338 1155339 1155346 1155407
                        1155463 1155655 1155668 1155950 1156571 1157198 1157278 1157438
                        1157611 1157775 1157891 1158095 1158095 1158101 1158120 1158527
                        1158809 1158923 1158925 1158926 1158927 1158929 1158930 1158931
                        1158932 1158933 1159035 1159622 1159819 1159989 1160920 637176
                        658604 673071 709442 743787 747125 751718 754447 754677 787526
                        809831 831629 834601 871152 885662 885882 917607 942751 951166
                        983582 984751 985177 985348 989523 CVE-2011-3389 CVE-2011-4944
                        CVE-2012-0845 CVE-2012-1150 CVE-2013-1752 CVE-2013-4238 CVE-2014-2667
                        CVE-2014-4650 CVE-2016-0772 CVE-2016-1000110 CVE-2016-5636 CVE-2016-5699
                        CVE-2017-18207 CVE-2018-1000802 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647
                        CVE-2018-18508 CVE-2018-20406 CVE-2018-20852 CVE-2019-10160 CVE-2019-11745
                        CVE-2019-12290 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889
                        CVE-2019-14889 CVE-2019-1551 CVE-2019-15847 CVE-2019-15903 CVE-2019-16056
                        CVE-2019-16935 CVE-2019-17006 CVE-2019-18224 CVE-2019-3688 CVE-2019-3690
                        CVE-2019-5010 CVE-2019-9636 CVE-2019-9947 SLE-6533 SLE-6536 SLE-8532
                        SLE-8789 SLE-9171 
-----------------------------------------------------------------

The container ses/6/ceph/ceph was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3010-1
Released:    Tue Nov 19 18:10:58 2019
Summary:     Recommended update for zypper and libsolv
Type:        recommended
Severity:    moderate
References:  1145554,1146415,1149511,1153351,SLE-9171
Description:

This update for zypper and libsolv fixes the following issues:

Package: zypper

- Improved the documentation of $releasever and --releasever usescases (bsc#1149511)
- zypper will now ask only once when multiple packages share the same license text (bsc#1145554)
- Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus
  mode when resolving jobs (bsc#1146415)
- Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351)
- Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171)

Package: libsolv

- Fixes issues when updating too many packages in focusbest mode
- Fixes the handling of disabled and installed packages in distupgrade

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3040-1
Released:    Fri Nov 22 11:59:52 2019
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1145231
Description:

This update for lvm2 fixes the following issues:

- Adds a fix to detect MD devices by LVM2 with metadata=1.0/0.9 (bsc#1145231)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3059-1
Released:    Mon Nov 25 17:33:07 2019
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1155199,CVE-2019-14866
Description:

This update for cpio fixes the following issues:

- CVE-2019-14866: Fixed an improper validation of the values written 
  in the header of a TAR file through the to_oct() function which could 
  have led to unexpected TAR generation (bsc#1155199).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3061-1
Released:    Mon Nov 25 17:34:22 2019
Summary:     Security update for gcc9
Type:        security
Severity:    moderate
References:  1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536
Description:



This update includes the GNU Compiler Collection 9.

A full changelog is provided by the GCC team on:

   https://www.gnu.org/software/gcc/gcc-9/changes.html


The base system compiler libraries libgcc_s1, libstdc++6 and others are
now built by the gcc 9 packages.

To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 /
CXX=g++-9 during configuration for using it.


Security issues fixed:

- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

Non-security issues fixed:

- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3070-1
Released:    Tue Nov 26 12:39:29 2019
Summary:     Recommended update for gpg2
Type:        recommended
Severity:    low
References:  1152755
Description:

This update for gpg2 provides the following fix:

- Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3086-1
Released:    Thu Nov 28 10:02:24 2019
Summary:     Security update for libidn2
Type:        security
Severity:    moderate
References:  1154884,1154887,CVE-2019-12290,CVE-2019-18224
Description:

This update for libidn2 to version 2.2.0 fixes the following issues:

- CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
- CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3087-1
Released:    Thu Nov 28 10:03:00 2019
Summary:     Security update for libxml2
Type:        security
Severity:    low
References:  1123919
Description:

This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect
all CVEs that have been fixed over the past.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3118-1
Released:    Fri Nov 29 14:41:35 2019
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    moderate
References:  1154295
Description:

This update for e2fsprogs fixes the following issues:

- Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3166-1
Released:    Wed Dec  4 11:24:42 2019
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1007715,1084934,1157278
Description:

This update for aaa_base fixes the following issues:

- Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934)
- Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715)
- Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3167-1
Released:    Wed Dec  4 11:27:35 2019
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    moderate
References:  1142152
Description:

This update for suse-module-tools fixes the following issues:

- Add dependency of papr_scm on libnvdimm in the initrd image. (bsc#1142152, ltc#176292, FATE#327775).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3172-1
Released:    Wed Dec  4 11:46:44 2019
Summary:     Recommended update for libstoragemgmt
Type:        recommended
Severity:    moderate
References:  1155407
Description:


This update for libstoragemgmt ships two new sub-packages (fate#327790 bsc#1155407):

- libstoragemgmt-hpsa-plugin: HP SmartArray plugin.
- libstoragemgmt-megaraid-plugin: LSI MegaRaid plugin.
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3181-1
Released:    Thu Dec  5 11:43:07 2019
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690
Description:

This update for permissions fixes the following issues:

- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid
  which could have allowed a squid user to gain persistence by changing the 
  binary (bsc#1093414).
- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic 
  links (bsc#1150734).
- Fixed a regression which caused sagmentation fault (bsc#1157198).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3240-1
Released:    Tue Dec 10 10:40:19 2019
Summary:     Recommended update for ca-certificates-mozilla, p11-kit
Type:        recommended
Severity:    moderate
References:  1154871
Description:

This update for ca-certificates-mozilla, p11-kit fixes the following issues:

Changes in ca-certificates-mozilla:

- export correct p11kit trust attributes so Firefox detects built in
  certificates (bsc#1154871).

Changes in p11-kit:

- support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox
  detects built in certificates (bsc#1154871)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3267-1
Released:    Wed Dec 11 11:19:53 2019
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1158095,CVE-2019-14889
Description:

This update for libssh fixes the following issues:

- CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3343-1
Released:    Thu Dec 19 11:05:27 2019
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1155668
Description:

This update for lvm2 fixes the following issues:

- Fix seeing a 90 Second delay during shutdown and reboot. (bsc#1155668)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3374-1
Released:    Fri Dec 20 10:39:16 2019
Summary:     Recommended update for python-CherryPy
Type:        recommended
Severity:    moderate
References:  1158120
Description:

This update for python-CherryPy fixes the following issues:

- Add compatibility to make tests pass with the recent versions of
  Python with fixed http.client.HTTPConnection.putrequest(). (bsc#1158120, jsc#PM-1350)
- Run spec-cleaner on the SPEC file.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3392-1
Released:    Fri Dec 27 13:33:29 2019
Summary:     Security update for libgcrypt
Type:        security
Severity:    moderate
References:  1148987,1155338,1155339,CVE-2019-13627
Description:

This update for libgcrypt fixes the following issues:

Security issues fixed:

- CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987).

Bug fixes:

- Added CMAC AES self test (bsc#1155339).
- Added CMAC TDES self test missing (bsc#1155338).
- Fix test dsa-rfc6979 in FIPS mode.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3395-1
Released:    Mon Dec 30 14:05:06 2019
Summary:     Security update for mozilla-nspr, mozilla-nss
Type:        security
Severity:    moderate
References:  1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006
Description:

This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to NSS 3.47.1:

Security issues fixed:

- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).

mozilla-nspr was updated to version 4.23:

- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:9-1
Released:    Thu Jan  2 12:33:47 2020
Summary:     Recommended update for xfsprogs
Type:        recommended
Severity:    moderate
References:  1157438
Description:

This update for xfsprogs fixes the following issues:

- Remove the 'xfs_scrub_all' script from the package, and the corresponding dependency of python. (bsc#1157438)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:10-1
Released:    Thu Jan  2 12:35:06 2020
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1146475
Description:

This update for gcc7 fixes the following issues:

- Fix miscompilation with thread-safe localstatic initialization (gcc#85887).
- Fix debug info created for array definitions that complete an earlier declaration (bsc#1146475).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:22-1
Released:    Tue Jan  7 12:39:59 2020
Summary:     Recommended update for python-numpy
Type:        recommended
Severity:    moderate
References:  1149203,SLE-8532
Description:

This update for python-numpy fixes the following issues:

- Add new random module including selectable random number generators: MT19937, PCG64, Philox and SFC64 (bsc#1149203)
- NumPy's FFT implementation was changed from fftpack to pocketfft, resulting in faster, more accurate transforms and better handling of datasets of prime length. (bsc#1149203)
- New radix sort and timsort sorting methods. (bsc#1149203)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:27-1
Released:    Tue Jan  7 14:47:07 2020
Summary:     Recommended update for rdma-core
Type:        recommended
Severity:    moderate
References:  1137131,1137132,1140601,1157891
Description:

This update for rdma-core fixes the following issues:

- Add Broadcom fixes for libbnxtre. (bsc#1157891)
- Disable libmlx dependencies for libibverbs on s390x 32 bits. (bsc#1140601)
- Fix baselibs configuration removing conflict with -32b and older (early rdma-core) libraries.
- Add missing Obsoletes/Conflicts/Provides to handle updates from SP2. (bsc#1137131, bsc#1137132)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:36-1
Released:    Wed Jan  8 10:26:46 2020
Summary:     Recommended update for python-pyOpenSSL
Type:        recommended
Severity:    low
References:  1159989
Description:


This update fixes the build of python-pyOpenSSL in 2020 (bsc#1159989).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:69-1
Released:    Fri Jan 10 12:33:59 2020
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789
Description:

This update for openssl-1_1 fixes the following issues:

Security issue fixed:

- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).                             

Various FIPS related improvements were done:

- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).
- Port FIPS patches from SLE-12 (bsc#1158101).
- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:114-1
Released:    Thu Jan 16 10:11:52 2020
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Description:

This update for python3 to version 3.6.10 fixes the following issues:

- CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507).
- CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955).
- CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:129-1
Released:    Mon Jan 20 09:21:13 2020
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1158095,CVE-2019-14889
Description:

This update for libssh fixes the following issues:

- CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:160-1
Released:    Wed Jan 22 13:18:10 2020
Summary:     Recommended update for ceph
Type:        recommended
Severity:    moderate
References:  1124556,1131817,1132337,1134365,1137227,1140504,1140879,1141203,1145571,1145756,1148360,1148498,1153876,1154230,1155045,1155463,1155655,1155950,1156571,1157611,1158923,1158925,1158926,1158927,1158929,1158930,1158931,1158932,1158933,1160920
Description:

This update for ceph fixes the following issues:

Update to 14.2.5-371-g3551250731:

+ upstream Nautilus 14.2.5 point release, see https://ceph.io/releases/v14-2-5-nautilus-released/

    * health warnings will be issued if daemons have recently crashed (bsc#1158923)
    * pg_num must be a power of two, otherwise HEALTH_WARN (bsc#1158925)
    * pool size must be > 1, otherwise HEALTH_WARN (bsc#1158926)
    * health warning if average OSD heartbeat ping time exceeds threshold (bsc#1158927)
    * changes in the telemetry MGR module (bsc#1158929)
    * new OSD daemon command dump_recovery_reservations (bsc#1158930)
    * new OSD daemon command dump_scrub_reservations (bsc#1158931)
    * RGW now supports S3 Object Lock set of APIs (bsc#1158932)
    * RGW now supports List Objects V2 (bsc#1158933)

+ mon: keep v1 address type when explicitly (bsc#1140879)
+ doc: mention --namespace option in rados manpage (bsc#1157611)
+ mgr/dashboard: Remove env_build from e2e:ci 
+ ceph-volume: check if we run in an selinux environment
+ qa/dashboard_e2e_tests.sh: Automatically use correct chromedriver version (bsc#1155950)

Update to 14.2.4-1283-g9ab65f8799:

+ rebase on tip of upstream nautilus, SHA1 9989c20373e2294b7479ec4bd6ac5cce80b01645

    * rgw: add S3 object lock feature to support object worm (jsc#SES-582)
    * os/bluestore: apply garbage collection against excessive blob count growth (bsc#1124556)
    * doc: update bluestore cache settings and clarify data fraction (bsc#1131817)
    * mgr/dashboard: Allow the decrease of pg's of an existing pool (bsc#1132337) 
    * core: Improve health status for backfill_toofull and recovery_toofull and
      fix backfill_toofull seen on cluster where the most full OSD is at 1% (bsc#1134365)
    * mgr/dashboard: Set RO as the default access_type for RGW NFS exports (bsc#1137227)
    * mgr/dashboard: Allow disabling redirection on standby Dashboards (bsc#1140504)
    * rgw: dns name is not case sensitive (bsc#1141203) 
    * os/bluestore: shallow fsck mode and legacy statfs auto repair (bsc#1145571) 
    * mgr/dashboard: Display WWN and LUN number in iSCSI target details (bsc#1145756)
    * mgr/dashboard: access_control: add grafana scope read access to *-manager roles (bsc#1148360) 
    * mgr/dashboard: internationalization support with AOT enabled (bsc#1148498) 
    * mgr/dashboard: Fix data point alignment in MDS counters chart (bsc#1153876)
    * mgr/balancer: python3 compatibility issue (bsc#1154230) 
    * mgr/dashboard: add debug mode, and accept expected exception when SSL handshaking (bsc#1155045) 
    * mgr/{dashboard,prometheus}: return FQDN instead of '0.0.0.0' (bsc#1155463)
    * core: Improve health status for backfill_toofull and recovery_toofull and
      fix backfill_toofull seen on cluster where the most full OSD is at 1% (bsc#1155655)
    * mon: ensure prepare_failure() marks no_reply on op (bsc#1156571) 

+ mgr/dashboard: Automatically use correct chromedriver version

+ Revert 'rgw_file: introduce fast S3 Unix stats (immutable)'
  because it is incompatible with NFS-Ganesha 2.8

+ include hotfix from upstream v14.2.6 release (bsc#1160920):
  * mon/PGMap.h: disable network stats in dump_osd_stats 
  * osd_stat_t::dump: Add option for ceph-mgr python callers to skip ping network



More information about the sle-security-updates mailing list