Security update for ceph

Announcement ID:	SUSE-SU-2018:1576-1
Rating:	important
References:	bsc#1070357 bsc#1071386 bsc#1074301 bsc#1079076 bsc#1080788 bsc#1081379 bsc#1081600 bsc#1086340 bsc#1087269 bsc#1087493
Cross-References:	CVE-2018-7262
CVSS scores:	CVE-2018-7262 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Enterprise Storage 5 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP3

An update that solves one vulnerability and has nine security fixes can now be installed.

Description:

This update for ceph to 12.2.5-407-g5e7ea8cf03 fixes the following issues:

Security issue fixed:

• CVE-2018-7262: The rgw_civetweb.cc RGWCivetWeb::init_env function in radosgw doesn't handle malformed HTTP headers properly, allowing for denial of service. rgw: make init env methods return an error (bsc#1081379)

Other issues fixed:

• osd: do not crash on empty snapset (bsc#1074301)
• mon: add 'ceph osd pool get erasure allow_ec_overwrites' command (bsc#1087269)
• journal: limit number of appends sent in one librados op (bsc#1086340)
• RGW user stats fixes (bsc#1087493)
• rgw openssl fixes (bsc#1079076, bsc#1081379)
• rocksdb: fixes early metadata spill over to slow device in bluefs (bsc#1071386)
• mon: reenable timer to send digest when paxos is temporarily inactive (bsc#1070357)
• fsid mismatch when creating additional OSDs (bsc#1080788)
• crash in civetweb/RGW (bsc#1081600)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Enterprise Storage 5
  zypper in -t patch SUSE-Storage-5-2018-1092=1

Package List:

• SUSE Enterprise Storage 5 (aarch64 x86_64)
  • python-rbd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-mgr-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python3-cephfs-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-mon-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-radosgw-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • librados2-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-mds-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • rbd-mirror-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python-rbd-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-base-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python-rgw-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-debugsource-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • libcephfs2-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python-rgw-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • libradosstriper1-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python3-rgw-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python-cephfs-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • libradosstriper1-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python-rados-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python3-rados-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • librgw2-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python-rados-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • rbd-mirror-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-common-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • rbd-fuse-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-mgr-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-radosgw-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python3-cephfs-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • librbd1-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • librados2-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-fuse-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • librbd1-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • rbd-fuse-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python-ceph-compat-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python-cephfs-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-base-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-common-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-fuse-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python3-rados-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • rbd-nbd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python3-rbd-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-osd-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • librgw2-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-osd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • libcephfs2-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python3-rgw-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-mds-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • ceph-mon-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python3-ceph-argparse-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • rbd-nbd-debuginfo-12.2.5+git.1524775272.5e7ea8cf03-2.13.3
  • python3-rbd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3

References:

• https://www.suse.com/security/cve/CVE-2018-7262.html
• https://bugzilla.suse.com/show_bug.cgi?id=1070357
• https://bugzilla.suse.com/show_bug.cgi?id=1071386
• https://bugzilla.suse.com/show_bug.cgi?id=1074301
• https://bugzilla.suse.com/show_bug.cgi?id=1079076
• https://bugzilla.suse.com/show_bug.cgi?id=1080788
• https://bugzilla.suse.com/show_bug.cgi?id=1081379
• https://bugzilla.suse.com/show_bug.cgi?id=1081600
• https://bugzilla.suse.com/show_bug.cgi?id=1086340
• https://bugzilla.suse.com/show_bug.cgi?id=1087269
• https://bugzilla.suse.com/show_bug.cgi?id=1087493