SUSE-CU-2021:251-1: Security update of ses/7/rook/ceph

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Jun 15 06:12:06 UTC 2021


SUSE Container Update Advisory: ses/7/rook/ceph
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2021:251-1
Container Tags        : ses/7/rook/ceph:1.5.10 , ses/7/rook/ceph:1.5.10.4 , ses/7/rook/ceph:1.5.10.4.1.1658 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus
Container Release     : 1.1658
Severity              : important
Type                  : security
References            : 1029961 1106014 1153687 1161268 1172308 1174526 1178577 1178624
                        1178675 1179805 1180851 1181874 1182016 1182372 1182936 1183074
                        1183194 1183268 1183589 1183628 1184326 1184399 1184505 1184997
                        1184997 1185239 1185325 1186015 1186642 1186642 1186673 CVE-2020-29651
                        CVE-2021-20288 CVE-2021-3541 
-----------------------------------------------------------------

The container ses/7/rook/ceph was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1833-1
Released:    Wed Jun  2 15:32:28 2021
Summary:     Recommended update for zypper
Type:        recommended
Severity:    moderate
References:  1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239
This update for zypper fixes the following issues:

zypper was upgraded to 1.14.44:

- man page: Recommend the needs-rebooting command to test whether a system reboot is suggested.
- patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268)
- Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687)
- Protect against strict/relaxed user umask via sudo. (bsc#1183589)
- xml summary: Add solvables repository alias. (bsc#1182372)

libzypp was upgraded from version 17.25.8 to version 17.25.10

- Properly handle permission denied when providing optional files. (bsc#1185239)
- Fix service detection with `cgroupv2`. (bsc#1184997)
- Add missing includes for GCC 11. (bsc#1181874)
- Fix unsafe usage of static in media verifier.
- `Solver`: Avoid segfault if no system is loaded. (bsc#1183628)
- `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851)
- Do no cleanup in custom cache dirs. (bsc#1182936)
- `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1859-1
Released:    Fri Jun  4 09:02:38 2021
Summary:     Security update for python-py
Type:        security
Severity:    moderate
References:  1179805,1184505,CVE-2020-29651
This update for python-py fixes the following issues:

- CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1861-1
Released:    Fri Jun  4 09:59:40 2021
Summary:     Recommended update for gcc10
Type:        recommended
Severity:    moderate
References:  1029961,1106014,1178577,1178624,1178675,1182016
This update for gcc10 fixes the following issues:

- Disable nvptx offloading for aarch64 again since it doesn't work
- Fixed a build failure issue. (bsc#1182016)
- Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
- Fix 32bit 'libgnat.so' link. (bsc#1178675)
- prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
- Build complete set of multilibs for arm-none target. (bsc#1106014)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1879-1
Released:    Tue Jun  8 09:16:09 2021
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    important
References:  1184326,1184399,1184997,1185325
This update for libzypp, zypper fixes the following issues:

libzypp was updated to 17.26.0:

- Work around download.o.o broken https redirects.
- Allow trusted repos to add additional signing keys (bsc#1184326)
  Repositories signed with a trusted gpg key may import additional
  package signing keys. This is needed if different keys were used
  to sign the the packages shipped by the repository.
- MediaCurl: Fix logging of redirects.
- Use 15.3 resolver problem and solution texts on all distros.
- $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the
  zypp lock (bsc#1184399)
  Helps boot time services like 'zypper purge-kernels' to wait for
  the zypp lock until other services using zypper have completed.
- Fix purge-kernels is broken in Leap 15.3 (bsc#1185325)
  Leap 15.3 introduces a new kernel package called
  kernel-flavour-extra, which contain kmp's. Currently kmp's are
  detected by name '.*-kmp(-.*)?' but this does not work which
  those new packages. This patch fixes the problem by checking
  packages for kmod(*) and ksym(*) provides and only falls back to
  name checking if the package in question does not provide one of
  those.
- Introduce zypp-runpurge, a tool to run purge-kernels on
  testcases.

zypper was updated to 1.14.45:

- Fix service detection with cgroupv2 (bsc#1184997)
- Add hints to 'trust GPG key' prompt.
- Add report when receiving new package signing keys from a
  trusted repo (bsc#1184326)
- Added translation using Weblate (Kabyle)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1910-1
Released:    Wed Jun  9 09:37:41 2021
Summary:     Recommended update for openssh
Type:        recommended
Severity:    moderate
References:  1186673
This update for openssh fixes the following issues:

- Further attempts to mitigate instances of secrets lingering in memory
  after a session exits to meet key zeroization requirements. (bsc#1186673)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1917-1
Released:    Wed Jun  9 14:48:05 2021
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1186015,CVE-2021-3541
This update for libxml2 fixes the following issues:

- CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1923-1
Released:    Thu Jun 10 08:37:00 2021
Summary:     Recommended update for nfs-utils
Type:        recommended
Severity:    important
References:  1183194
This update for nfs-utils fixes the following issues:

- Ensured thread safety when opening files over NFS to prevent a
  use-after-free issue (bsc#1183194)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1935-1
Released:    Thu Jun 10 10:45:09 2021
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  1186642

This update for gzip fixes the following issue:

- gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead
  to migration issues. (bsc#1186642)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1937-1
Released:    Thu Jun 10 10:47:09 2021
Summary:     Recommended update for nghttp2
Type:        recommended
Severity:    moderate
References:  1186642

This update for nghttp2 fixes the following issue:

- The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead
  to migration issues. (bsc#1186642)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1953-1
Released:    Thu Jun 10 16:18:50 2021
Summary:     Recommended update for gpg2
Type:        recommended
Severity:    moderate
References:  1161268,1172308
This update for gpg2 fixes the following issues:

- Fixed an issue where the gpg-agent's ssh-agent does not handle flags 
  in signing requests properly (bsc#1161268 and bsc#1172308).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1971-1
Released:    Tue Jun 15 06:57:16 2021
Summary:     Security update for ceph and ceph-csi
Type:        security
Severity:    important
References:  1174526,1183074,CVE-2021-20288
This update for ceph and ceph-csi fixes the following issues:

ceph:

- updated ceph to upstream version 15.2.13:
  * mgr/dashboard: allow getting fresh inventory data from the orchestrator (bsc#1174526)

  The whole upstream changelog can be found here:
  https://ceph.io/releases/v15-2-13-octopus-released/

ceph-csi:

- CVE-2021-20288: An authentication flaw was found in ceph in versions prior to 14.2.20. When
  the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys,
  allowing key reuse. An attacker who can request a global_id can exploit the ability of any
  user to request a global_id previously associated with another user, as ceph does not force
  the reuse of old keys to generate new ones. The highest threat from this vulnerability is to
  data confidentiality and integrity as well as system availability (bsc#1183074)



More information about the sle-security-updates mailing list