Security update for ceph

Announcement ID: SUSE-SU-2019:2994-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2019-10222 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-10222 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-10222 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
  • SUSE Enterprise Storage 6
  • SUSE Linux Enterprise Server 15 SP1

An update that solves one vulnerability and has 22 security fixes can now be installed.

Description:

This update for ceph fixes the following issues:

  • A previous update introduced a regression with the potential to cause RocksDB data corruption in Nautilus (bsc#1156282).

  • Support for iSCSI target-level CHAP authentication was added (bsc#1145617).

  • Implemented validation and rendering of iSCSI controls based "type" (bsc#1140491).

  • Fixed an error while editing iSCSI image advanced settings (bsc#1146656).

  • Fixed a ceph-volume regression. SES customers were never exposed to this regression (bsc#1132767).

  • Fixed a denial of service vulnerability where an unauthenticated client of Ceph Object Gateway could trigger a crash from an uncaught exception (bsc#1145093, CVE-2019-10222)

  • Nautilus-based librbd clients could not open images on Jewel clusters (bsc#1151994).

  • The RGW num_rados_handles has been removed (bsc#1151995).

  • "osd_deep_scrub_large_omap_object_key_threshold" has been lowered in Nautilus (bsc#1152002).

  • The ceph dashboard now supports silencing Prometheus notifications (bsc#1141174).

  • The no{up,down,in,out} related commands have been revamped (bsc#1151990).

  • Radosgw-admin got two new subcommands for managing expire-stale objects (bsc#1151991)..

  • Deploying a single new BlueStore OSD on a cluster upgraded to SES6 from SES5 used to break pool utilization stats reported by ceph df (bsc#1151992).

  • Ceph clusters will issue a health warning if CRUSH tunables are older than "hammer" (bsc#1151993).

  • Ceph-volume prints errors to stdout with --format json (bsc#1132767).

  • Changing rgw-api-host in the dashboard does not get effective without disable/enable dashboard mgr module (bsc#1137503).

  • Silenced Alertmanager alerts in the dashboard (bsc#1141174).

  • Fixed e2e failures in the dashboard caused by webdriver version (bsc#1145759)

  • librbd always tries to acquire exclusive lock when removing image an (bsc#1149093).

Fixes in ses-manual_en:

  • Added a new chapter with changelogs of Ceph releases. (bsc#1135584)
  • Rewrote rolling updates and replaced running stage.0 with manual commands to prevent infinite loop. (bsc#1134444)
  • Improved name of CaaSP to its fuller version. (bsc#1151439)
  • Verify which OSD's are going to be removed before running stage.5. (bsc#1150406)
  • Added two additional steps to recovering an OSD. (bsc#1147132)

Fixes in ceph-iscsi:

  • Validate kernel LIO controls type and value (bsc#1140491)
  • TPG lun_id persistence (bsc#1145618)
  • Target level CHAP authentication (bsc#1145617)

ceph-iscsi was updated to the upstream 3.2 release:

  • Always use host FQDN instead of shortname
  • Validate min/max value for target controls and rbd:user/tcmu-runner image controls (bsc#1140491)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Enterprise Storage 6
    zypper in -t patch SUSE-Storage-6-2019-2994=1

Package List:

  • SUSE Enterprise Storage 6 (noarch)
    • ceph-iscsi-3.3+1570532654.g93940a4-3.7.1
    • ses-admin_en-pdf-6+git145.1558531-3.17.1
    • ses-manual_en-6+git145.1558531-3.17.1
    • ses-deployment_en-pdf-6+git145.1558531-3.17.1

References: