SUSE-CU-2019:766-1: Security update of ses/6/rook/ceph

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Sat Feb 1 01:39:53 MST 2020 

SUSE Container Update Advisory: ses/6/rook/ceph
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2019:766-1
Container Tags        : ses/6/rook/ceph:1.1.1.0 , ses/6/rook/ceph:1.1.1.0.1.5.63 , ses/6/rook/ceph:latest
Container Release     : 1.5.63
Severity              : important
Type                  : security
References            : 1103320 1132767 1134444 1135584 1137503 1140491 1141174 1145093
                        1145617 1145618 1145759 1146656 1147132 1149093 1150406 1151439
                        1151990 1151991 1151992 1151993 1151994 1151995 1152002 1154019
                        1154036 1154037 1156282 CVE-2019-10222 CVE-2019-17594 CVE-2019-17595
-----------------------------------------------------------------

The container ses/6/rook/ceph was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2019:2980-1
Released:    Thu Nov 14 22:45:33 2019
Summary:     Optional update for curl
Type:        optional
Severity:    low
References:  1154019
Description:

This update for curl doesn't address any user visible issues.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2994-1
Released:    Mon Nov 18 13:34:33 2019
Summary:     Security update for ceph
Type:        security
Severity:    important
References:  1132767,1134444,1135584,1137503,1140491,1141174,1145093,1145617,1145618,1145759,1146656,1147132,1149093,1150406,1151439,1151990,1151991,1151992,1151993,1151994,1151995,1152002,1156282,CVE-2019-10222
Description:



This update for ceph fixes the following issues:

- A previous update introduced a regression with the potential to cause RocksDB
  data corruption in Nautilus (bsc#1156282).

- Support for iSCSI target-level CHAP authentication was added (bsc#1145617).

- Implemented validation and rendering of iSCSI controls based 'type'
  (bsc#1140491).

- Fixed an error while editing iSCSI image advanced settings (bsc#1146656).

- Fixed a ceph-volume regression. SES customers were never exposed to this
  regression (bsc#1132767).

- Fixed a denial of service vulnerability where an unauthenticated client of
  Ceph Object Gateway could trigger a crash from an uncaught exception
  (bsc#1145093, CVE-2019-10222)

- Nautilus-based librbd clients could not open images on Jewel clusters
  (bsc#1151994).

- The RGW num_rados_handles has been removed (bsc#1151995).

- 'osd_deep_scrub_large_omap_object_key_threshold' has been lowered in Nautilus
  (bsc#1152002).

- The ceph dashboard now supports silencing Prometheus notifications
  (bsc#1141174).

- The no{up,down,in,out} related commands have been revamped (bsc#1151990).

- Radosgw-admin got two new subcommands for managing expire-stale objects
  (bsc#1151991)..

- Deploying a single new BlueStore OSD on a cluster upgraded to SES6 from SES5
  used to break pool utilization stats reported by ceph df (bsc#1151992).

- Ceph clusters will issue a health warning if CRUSH tunables are older than
  'hammer' (bsc#1151993).

- Ceph-volume prints errors to stdout with --format json (bsc#1132767).

- Changing rgw-api-host in the dashboard does not get effective without
  disable/enable dashboard mgr module (bsc#1137503).

- Silenced Alertmanager alerts in the dashboard (bsc#1141174).

- Fixed e2e failures in the dashboard caused by webdriver version (bsc#1145759)

- librbd always tries to acquire exclusive lock when removing image an
  (bsc#1149093).

Fixes in ses-manual_en:

- Added a new chapter with changelogs of Ceph releases. (bsc#1135584)
- Rewrote rolling updates and replaced running stage.0 with manual commands to prevent infinite loop. (bsc#1134444)
- Improved name of CaaSP to its fuller version. (bsc#1151439)
- Verify which OSD's are going to be removed before running stage.5. (bsc#1150406)
- Added two additional steps to recovering an OSD. (bsc#1147132)

Fixes in ceph-iscsi:

- Validate kernel LIO controls type and value (bsc#1140491)
- TPG lun_id persistence (bsc#1145618)
- Target level CHAP authentication (bsc#1145617)

ceph-iscsi was updated to the upstream 3.2 release:

- Always use host FQDN instead of shortname
- Validate min/max value for target controls and rbd:user/tcmu-runner image
  controls (bsc#1140491)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2997-1
Released:    Mon Nov 18 15:16:38 2019
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595
Description:

This update for ncurses fixes the following issues:

Security issues fixed:

- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).

Non-security issue fixed:

- Removed screen.xterm from terminfo database (bsc#1103320).

More information about the sle-security-updates mailing list