Security update for SES 1.0

Announcement ID: SUSE-SU-2015:1102-1
Rating: moderate
References:
Cross-References:
CVSS scores:
Affected Products:
  • SUSE Enterprise Storage 1.0 1

An update that solves three vulnerabilities and has 12 security fixes can now be installed.

Description:

This collective update for SUSE Enterprise Storage 1.0 provides fixes and enhancements.

ceph (update to version 0.80.9):

  • Support non-ASCII characters. (bnc#907510)
  • Fixes issue with more than one OSD / MON on same node. (bnc#927862)
  • Reinstates Environment=CLUSTER=ceph lines removed by last patch. (bnc#915567)
  • Use same systemd service files for all cluster names. (bnc#915567)
  • In OSDMonitor fallback to json-pretty in case of invalid formatter. (bnc#919313)
  • Increase max files to 131072 for ceph-osd daemon. (bnc#924894)
  • Fix "OSDs shutdown during rados benchmark tests". (bnc#924269)
  • Add SuSEfirewall2 service files for Ceph MON, OSD and MDS. (bnc#919091)
  • Added support for multiple cluster names with systemd to ceph-disk. (bnc#915567)
  • Move udev rules for rbd devices to the client package ceph-common.
  • Several issues reported upstream have been fixed: #9973 #9918 #9907 #9877 #9854 #9587 #9479 #9478 #9254 #5595 #10978 #10965 #10907 #10553 #10471 #10421 #10307 #10299 #10271 #10271 #10270 #10262 #10103 #10095.

ceph-deploy:

  • Drop support for multiple customer names on the same hardware. (bsc#915567)
  • Check for errors when generating rgw keys. (bsc#915783)
  • Do not import new repository keys automatically when installing packages with Zypper. (bsc#919965)
  • Improved detection of disk vs. OSD block devices with a simple set of tests. (bsc#889053)
  • Do not create keyring files as world-readable. (bsc#920926, CVE-2015-3010)
  • Added support for multiple cluster names with systemd to ceph-disk. (bnc#915567)

calamari-clients:

  • Reduce krakenFailThreshold to 5 minutes. (bsc#903007)

python-Pillow (update to version 2.7.0):

  • Fix issues in Jpeg2KImagePlugin and IcnsImagePlugin which could have allowed denial of service attacks. (CVE-2014-3598, CVE-2014-3589)

python-djangorestframework:

  • Escape URLs when replacing format= query parameter, as used in dropdown on GET button in browsable API to allow explicit selection of JSON vs HTML output. (bsc#929914)
  • Escape request path when it is include as part of the login and logout links in the browsable API. (bsc#929886)

For a comprehensive list of changes please refer to each package's change log.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Enterprise Storage 1.0 1
    zypper in -t patch SUSE-Storage-1.0-2015-250=1

Package List:

  • SUSE Enterprise Storage 1.0 1 (noarch)
    • ceph-deploy-1.5.19+git.1431355031.6178cf3-9.1
    • python-djangorestframework-2.3.12-4.2
    • calamari-clients-1.2.2+git.1428648634.40dfe5b-3.1
  • SUSE Enterprise Storage 1.0 1 (x86_64)
    • python-Pillow-2.7.0-4.1
    • librbd1-0.80.9-5.1
    • librados2-debuginfo-0.80.9-5.1
    • ceph-radosgw-debuginfo-0.80.9-5.1
    • ceph-common-debuginfo-0.80.9-5.1
    • ceph-test-0.80.9-5.1
    • python-ceph-0.80.9-5.1
    • ceph-0.80.9-5.1
    • python-Pillow-debuginfo-2.7.0-4.1
    • ceph-radosgw-0.80.9-5.1
    • ceph-fuse-0.80.9-5.1
    • ceph-common-0.80.9-5.1
    • ceph-fuse-debuginfo-0.80.9-5.1
    • libcephfs1-0.80.9-5.1
    • ceph-debugsource-0.80.9-5.1
    • rbd-fuse-0.80.9-5.1
    • rbd-fuse-debuginfo-0.80.9-5.1
    • ceph-test-debuginfo-0.80.9-5.1
    • libcephfs1-debuginfo-0.80.9-5.1
    • python-Pillow-debugsource-2.7.0-4.1
    • librados2-0.80.9-5.1
    • ceph-debuginfo-0.80.9-5.1
    • librbd1-debuginfo-0.80.9-5.1

References: