SUSE-SU-2021:1472-1: important: Security update for ceph, deepsea

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue May 4 10:25:17 UTC 2021


   SUSE Security Update: Security update for ceph, deepsea
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:1472-1
Rating:             important
References:         #1145463 #1174466 #1177200 #1178016 #1178216 
                    #1178235 #1178657 #1178837 #1178860 #1178905 
                    #1179997 #1180118 #1180594 #1181183 #1181378 
                    #1181665 #1183074 #1183487 #1183600 
Cross-References:   CVE-2020-25678 CVE-2020-27839 CVE-2021-20288
                   
CVSS scores:
                    CVE-2020-25678 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
                    CVE-2020-27839 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
                    CVE-2021-20288 (NVD) : 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-20288 (SUSE): 8 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Products:
                    SUSE Enterprise Storage 6
______________________________________________________________________________

   An update that solves three vulnerabilities and has 16
   fixes is now available.

Description:

   This update for ceph, deepsea fixes the following issues:

   - ceph was updated to 14.2.20-402-g6aa76c6815:
       * CVE-2021-20288: Fixed unauthorized global_id reuse (bsc#1183074).
       * CVE-2020-25678: Do not add sensitive information in Ceph log files
         (bsc#1178905).
       * CVE-2020-27839: Use secure cookies to store JWT Token (bsc#1179997).
       * mgr/dashboard: prometheus alerting: add some leeway for package
         drops and errors (bsc#1145463)
       * mon: have 'mon stat' output json as well (bsc#1174466)
       * rpm: ceph-mgr-dashboard recommends python3-saml on SUSE (bsc#1177200)
       * mgr/dashboard: Display a warning message in Dashboard when debug
         mode is enabled (bsc#1178235)
       * rgw: cls/user: set from_index for reset stats calls (bsc#1178837)
       * mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860)
       * bluestore: provide a different name for fallback allocator
         (bsc#1180118)
       * test/run-cli-tests: use cram from github (bsc#1181378)
       * mgr/dashboard: fix "Python2 Cookie module import fails on Python3"
         (bsc#1183487)
       * common: make ms_bind_msgr2 default to 'false' (bsc#1180594)

   - deapsea was updated to 0.9.35
       * osd: add method to zap simple osds (bsc#1178657, bsc#1178216)
       * upgrade to cephadm: fix Drive Group generation (bsc#1181665)
       * Rework config change detection to handle global.conf correctly
         (bsc#1181183)
       * Use -i to pass credentials to `ceph dashboard` commands (bsc#1183600)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Enterprise Storage 6:

      zypper in -t patch SUSE-Storage-6-2021-1472=1



Package List:

   - SUSE Enterprise Storage 6 (noarch):

      deepsea-0.9.35+git.0.5a1dc9fe-3.34.1
      deepsea-cli-0.9.35+git.0.5a1dc9fe-3.34.1


References:

   https://www.suse.com/security/cve/CVE-2020-25678.html
   https://www.suse.com/security/cve/CVE-2020-27839.html
   https://www.suse.com/security/cve/CVE-2021-20288.html
   https://bugzilla.suse.com/1145463
   https://bugzilla.suse.com/1174466
   https://bugzilla.suse.com/1177200
   https://bugzilla.suse.com/1178016
   https://bugzilla.suse.com/1178216
   https://bugzilla.suse.com/1178235
   https://bugzilla.suse.com/1178657
   https://bugzilla.suse.com/1178837
   https://bugzilla.suse.com/1178860
   https://bugzilla.suse.com/1178905
   https://bugzilla.suse.com/1179997
   https://bugzilla.suse.com/1180118
   https://bugzilla.suse.com/1180594
   https://bugzilla.suse.com/1181183
   https://bugzilla.suse.com/1181378
   https://bugzilla.suse.com/1181665
   https://bugzilla.suse.com/1183074
   https://bugzilla.suse.com/1183487
   https://bugzilla.suse.com/1183600



More information about the sle-security-updates mailing list