Security update for ceph

Announcement ID:	SUSE-SU-2023:1581-1
Rating:	important
References:	bsc#1187748 bsc#1188911 bsc#1192838 bsc#1192840 bsc#1196046 bsc#1199183 bsc#1200262 bsc#1200317 bsc#1200501 bsc#1200978 bsc#1201604 bsc#1201797 bsc#1201837 bsc#1201976 bsc#1202077 bsc#1202292 bsc#1203375 bsc#1204430 bsc#1205025 bsc#1205436 bsc#1206158
Cross-References:	CVE-2022-0670 CVE-2022-3650 CVE-2022-3854
CVSS scores:	CVE-2022-0670 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2022-0670 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2022-3650 ( SUSE ): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2022-3650 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-3854 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-3854 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:	Basesystem Module 15-SP4 openSUSE Leap 15.4 openSUSE Leap Micro 5.3 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro for Rancher 5.3 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3

An update that solves three vulnerabilities and has 18 security fixes can now be installed.

Description:

This update for ceph fixes the following issues:

Security issues fixed:

• CVE-2022-0670: Fixed user/tenant read/write access to an entire file system (bsc#1201837).
• CVE-2022-3650: Fixed Python script that allowed privilege escalation from ceph to root (bsc#1204430).
• CVE-2022-3854: Fixed possible DoS issue in ceph URL processing on RGW backends (bsc#1205025).

Bug fixes:

• osd, tools, kv: non-aggressive, on-line trimming of accumulated dups (bsc#1199183).
• ceph-volume: fix fast device alloc size on mulitple device (bsc#1200262).
• cephadm: update monitoring container images (bsc#1200501).
• mgr/dashboard: prevent alert redirect (bsc#1200978).
• mgr/volumes: Add subvolumegroup resize cmd (bsc#1201797).
• monitoring/ceph-mixin: add RGW host to label info (bsc#1201976).
• mgr/dashboard: enable addition of custom Prometheus alerts (bsc#1202077).
• python-common: Add 'KB' to supported suffixes in SizeMatcher (bsc#1203375).
• mgr/dashboard: fix rgw connect when using ssl (bsc#1205436).
• ceph.spec.in: Add -DFMT_DEPRECATED_OSTREAM to CXXFLAGS (bsc#1202292).
• cephfs-shell: move source to separate subdirectory (bsc#1201604).

Fix in previous release:

• mgr/cephadm: try to get FQDN for configuration files (bsc#1196046).
• When an RBD is mapped, it is attempted to be deployed as an OSD. (bsc#1187748).
• OSD marked down causes wrong backfill_toofull (bsc#1188911).
• cephadm: Fix iscsi client caps (allow mgr <service status> calls) (bsc#1192838).
• mgr/cephadm: fix and improve osd draining (bsc#1200317).
• add iscsi and nfs to upgrade process (bsc#1206158).
• mgr/mgr_module.py: CLICommand: Fix parsing of kwargs arguments (bsc#1192840).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap Micro 5.3
  zypper in -t patch openSUSE-Leap-Micro-5.3-2023-1581=1
• openSUSE Leap 15.4
  zypper in -t patch openSUSE-SLE-15.4-2023-1581=1
• SUSE Linux Enterprise Micro for Rancher 5.3
  zypper in -t patch SUSE-SLE-Micro-5.3-2023-1581=1
• SUSE Linux Enterprise Micro 5.3
  zypper in -t patch SUSE-SLE-Micro-5.3-2023-1581=1
• Basesystem Module 15-SP4
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-1581=1

Package List:

• openSUSE Leap Micro 5.3 (aarch64 x86_64)
  • librbd1-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librados2-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librbd1-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librados2-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-debugsource-16.2.11.58+g38d6afd3b78-150400.3.6.1
• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
  • ceph-immutable-object-cache-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-osd-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-mgr-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-mgr-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • cephfs-mirror-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • libradospp-devel-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librbd1-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librgw2-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-rbd-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • cephfs-shell-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librados-devel-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librados2-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librbd-devel-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librgw2-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-radosgw-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • libcephsqlite-devel-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • cephfs-mirror-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • rbd-fuse-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • libcephsqlite-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • rbd-mirror-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • rbd-fuse-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-rados-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-base-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librados-devel-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-rgw-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-rbd-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-rgw-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librgw-devel-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-osd-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-ceph-argparse-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • libcephfs2-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-immutable-object-cache-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-base-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • libcephfs2-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • rbd-nbd-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-common-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-fuse-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librados2-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-common-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • rados-objclass-devel-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • rbd-mirror-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-mds-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • libcephfs-devel-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-ceph-common-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-mds-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-cephfs-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-radosgw-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • rbd-nbd-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-fuse-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • libcephsqlite-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librbd1-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-rados-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-mon-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-cephfs-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-debugsource-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-mon-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
• openSUSE Leap 15.4 (noarch)
  • ceph-mgr-cephadm-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • cephadm-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-grafana-dashboards-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • cephfs-top-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-mgr-modules-core-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-prometheus-alerts-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-mgr-dashboard-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-mgr-rook-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-mgr-k8sevents-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-mgr-diskprediction-local-16.2.11.58+g38d6afd3b78-150400.3.6.1
• openSUSE Leap 15.4 (x86_64)
  • ceph-test-debugsource-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-test-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-test-16.2.11.58+g38d6afd3b78-150400.3.6.1
• SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 x86_64)
  • librbd1-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librados2-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librbd1-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librados2-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-debugsource-16.2.11.58+g38d6afd3b78-150400.3.6.1
• SUSE Linux Enterprise Micro 5.3 (aarch64 x86_64)
  • librbd1-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librados2-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librbd1-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librados2-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-debugsource-16.2.11.58+g38d6afd3b78-150400.3.6.1
• Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64)
  • libradospp-devel-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librbd1-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librgw2-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-rbd-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librados-devel-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librados2-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librbd-devel-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librgw2-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-rados-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librados-devel-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-rgw-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-rbd-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-rgw-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librgw-devel-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-ceph-argparse-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • libcephfs2-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • libcephfs2-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • rbd-nbd-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-common-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librados2-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-common-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • rados-objclass-devel-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • libcephfs-devel-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-ceph-common-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • rbd-nbd-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-cephfs-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • librbd1-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-rados-debuginfo-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • python3-cephfs-16.2.11.58+g38d6afd3b78-150400.3.6.1
  • ceph-debugsource-16.2.11.58+g38d6afd3b78-150400.3.6.1

References:

• https://www.suse.com/security/cve/CVE-2022-0670.html
• https://www.suse.com/security/cve/CVE-2022-3650.html
• https://www.suse.com/security/cve/CVE-2022-3854.html
• https://bugzilla.suse.com/show_bug.cgi?id=1187748
• https://bugzilla.suse.com/show_bug.cgi?id=1188911
• https://bugzilla.suse.com/show_bug.cgi?id=1192838
• https://bugzilla.suse.com/show_bug.cgi?id=1192840
• https://bugzilla.suse.com/show_bug.cgi?id=1196046
• https://bugzilla.suse.com/show_bug.cgi?id=1199183
• https://bugzilla.suse.com/show_bug.cgi?id=1200262
• https://bugzilla.suse.com/show_bug.cgi?id=1200317
• https://bugzilla.suse.com/show_bug.cgi?id=1200501
• https://bugzilla.suse.com/show_bug.cgi?id=1200978
• https://bugzilla.suse.com/show_bug.cgi?id=1201604
• https://bugzilla.suse.com/show_bug.cgi?id=1201797
• https://bugzilla.suse.com/show_bug.cgi?id=1201837
• https://bugzilla.suse.com/show_bug.cgi?id=1201976
• https://bugzilla.suse.com/show_bug.cgi?id=1202077
• https://bugzilla.suse.com/show_bug.cgi?id=1202292
• https://bugzilla.suse.com/show_bug.cgi?id=1203375
• https://bugzilla.suse.com/show_bug.cgi?id=1204430
• https://bugzilla.suse.com/show_bug.cgi?id=1205025
• https://bugzilla.suse.com/show_bug.cgi?id=1205436
• https://bugzilla.suse.com/show_bug.cgi?id=1206158