SUSE-SU-2021:1472-1: important: Security update for ceph, deepsea
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Tue May 4 10:25:17 UTC 2021
SUSE Security Update: Security update for ceph, deepsea
______________________________________________________________________________
Announcement ID: SUSE-SU-2021:1472-1
Rating: important
References: #1145463 #1174466 #1177200 #1178016 #1178216
#1178235 #1178657 #1178837 #1178860 #1178905
#1179997 #1180118 #1180594 #1181183 #1181378
#1181665 #1183074 #1183487 #1183600
Cross-References: CVE-2020-25678 CVE-2020-27839 CVE-2021-20288
CVSS scores:
CVE-2020-25678 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVE-2020-27839 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2021-20288 (NVD) : 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-20288 (SUSE): 8 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected Products:
SUSE Enterprise Storage 6
______________________________________________________________________________
An update that solves three vulnerabilities and has 16
fixes is now available.
Description:
This update for ceph, deepsea fixes the following issues:
- ceph was updated to 14.2.20-402-g6aa76c6815:
* CVE-2021-20288: Fixed unauthorized global_id reuse (bsc#1183074).
* CVE-2020-25678: Do not add sensitive information in Ceph log files
(bsc#1178905).
* CVE-2020-27839: Use secure cookies to store JWT Token (bsc#1179997).
* mgr/dashboard: prometheus alerting: add some leeway for package
drops and errors (bsc#1145463)
* mon: have 'mon stat' output json as well (bsc#1174466)
* rpm: ceph-mgr-dashboard recommends python3-saml on SUSE (bsc#1177200)
* mgr/dashboard: Display a warning message in Dashboard when debug
mode is enabled (bsc#1178235)
* rgw: cls/user: set from_index for reset stats calls (bsc#1178837)
* mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860)
* bluestore: provide a different name for fallback allocator
(bsc#1180118)
* test/run-cli-tests: use cram from github (bsc#1181378)
* mgr/dashboard: fix "Python2 Cookie module import fails on Python3"
(bsc#1183487)
* common: make ms_bind_msgr2 default to 'false' (bsc#1180594)
- deapsea was updated to 0.9.35
* osd: add method to zap simple osds (bsc#1178657, bsc#1178216)
* upgrade to cephadm: fix Drive Group generation (bsc#1181665)
* Rework config change detection to handle global.conf correctly
(bsc#1181183)
* Use -i to pass credentials to `ceph dashboard` commands (bsc#1183600)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Enterprise Storage 6:
zypper in -t patch SUSE-Storage-6-2021-1472=1
Package List:
- SUSE Enterprise Storage 6 (noarch):
deepsea-0.9.35+git.0.5a1dc9fe-3.34.1
deepsea-cli-0.9.35+git.0.5a1dc9fe-3.34.1
References:
https://www.suse.com/security/cve/CVE-2020-25678.html
https://www.suse.com/security/cve/CVE-2020-27839.html
https://www.suse.com/security/cve/CVE-2021-20288.html
https://bugzilla.suse.com/1145463
https://bugzilla.suse.com/1174466
https://bugzilla.suse.com/1177200
https://bugzilla.suse.com/1178016
https://bugzilla.suse.com/1178216
https://bugzilla.suse.com/1178235
https://bugzilla.suse.com/1178657
https://bugzilla.suse.com/1178837
https://bugzilla.suse.com/1178860
https://bugzilla.suse.com/1178905
https://bugzilla.suse.com/1179997
https://bugzilla.suse.com/1180118
https://bugzilla.suse.com/1180594
https://bugzilla.suse.com/1181183
https://bugzilla.suse.com/1181378
https://bugzilla.suse.com/1181665
https://bugzilla.suse.com/1183074
https://bugzilla.suse.com/1183487
https://bugzilla.suse.com/1183600
More information about the sle-security-updates
mailing list