Security update for ceph, deepsea

Announcement ID: SUSE-SU-2020:3257-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2020-10753 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  • CVE-2020-10753 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  • CVE-2020-10753 ( NVD ): 5.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products:
  • SUSE Enterprise Storage 6
  • SUSE Linux Enterprise Server 15 SP1

An update that solves one vulnerability and has 35 security fixes can now be installed.

Description:

This update for ceph, deepsea fixes the following issues:

  • Update to 14.2.13-398-gb6c514eec7:
  • Upstream 14.2.13 release see https://ceph.io/releases/v14-2-13-nautilus-released/

    • (bsc#1151612, bsc#1158257) ceph-volume: major batch refactor
  • Update to 14.2.12-436-g6feab505b7:

  • Upstream 14.2.12 release see https://ceph.io/releases/v14-2-12-nautilus-released/
    • (bsc#1169134) mgr/dashboard: document Prometheus' security model
    • (bsc#1170487) monclient: schedule first tick using mon_client_hunt_interval
    • (bsc#1174591) mgr/dashboard: Unable to edit iSCSI logged-in client
    • (bsc#1174591) mgr/dashboard: Allow editing iSCSI targets with initiators logged-in
    • (bsc#1175061) os/bluestore: dump onode that has too many spanning blobs
    • (bsc#1175240) pybind/mgr/restful: use dict.items() for py3 compatible
  • (bsc#1175781) ceph-volume: lvmcache: print help correctly
  • spec: move python-enum34 into rhel 7 conditional

  • Update to 14.2.11-394-g9cbbc473c0:

  • Upstream 14.2.11 release see https://ceph.io/releases/v14-2-11-nautilus-released/

    • mgr/progress: Skip pg_summary update if _events dict is empty (bsc#1167477) (bsc#1172142) (bsc#1171956)
    • mgr/dashboard: Allow to edit iSCSI target with active session (bsc#1173339)
  • Update to 14.2.10-392-gb3a13b81cb:

  • Upstream 14.2.10 release see https://ceph.io/releases/v14-2-10-nautilus-released/

    • mgr: Improve internal python to c++ interface (bsc#1167477)
  • Update to 14.2.9-970-ged84cae0c9:

  • rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader (bsc#1171921, CVE-2020-10753)

  • Update to 14.2.9-969-g9917342dc8d:

  • rebase on top of upstream nautilus, SHA1 ccd9c04f88e53aef7e4f1068ce1221fa3b97450d
  • cmake: Improve test for 16-byte atomic support on IBM Z
  • (jsc#SES-680) monitoring: add details to Prometheus alerts
  • (bsc#1155045) mgr/dashboard: add debug mode, and accept expected exception when SSL handshaking
  • (bsc#1152100) monitoring: alert for prediction of disk and pool fill up broken
  • (bsc#1155262) mgr/dashboard: iSCSI targets not available if any gateway is down
  • (bsc#1159689) os/bluestore: more flexible DB volume space usage
  • (bsc#1156087) ceph-volume: make get_devices fs location independent
  • (bsc#1156409) monitoring: wait before firing osd full alert
  • (bsc#1160626) mgr/dashboard: Unable to remove an iSCSI gateway that is already in use
  • (bsc#1161718) mount.ceph: remove arbitrary limit on size of name= option
  • (bsc#1162553) ceph-volume: strip _dmcrypt suffix in simple scan json output
  • (bsc#1163119) mgr/dashboard: Not able to restrict bucket creation for new user
  • (bsc#1164571) mgr/dashboard: Prevent iSCSI target recreation when editing controls
  • (bsc#1165713) mgr/dashboard: Repair broken grafana panels
  • (bsc#1165835) rgw: get barbican secret key request maybe return error code
  • (bsc#1165840) rgw: making implicit_tenants backwards compatible
  • (bsc#1166297) mgr/dashboard: Repair broken grafana panels
  • (bsc#1166393) mgr/dashboard: KeyError on dashboard reload
  • (bsc#1166624) mgr/dashboard: Fix iSCSI's username and password validation
  • (bsc#1166670) monitoring: root volume full alert fires false positives
  • (bsc#1166932) mgr: synchronize ClusterState's health and mon_status
  • (bsc#1168403) mgr/dashboard: Add more debug information to Dashboard RGW backend
  • (bsc#1169356) rgw: reshard: skip stale bucket id entries from reshard queue
  • (bsc#1170938) mon/OSDMonitor: allow trimming maps even if osds are down
  • (bsc#1171367) Set OSD's bluefs-buffered-io param to false by default

  • Update to 14.2.13-398-gb6c514eec7:

  • Upstream 14.2.13 release see https://ceph.io/releases/v14-2-13-nautilus-released/

    • (bsc#1151612, bsc#1158257) ceph-volume: major batch refactor
  • Update to 14.2.12-436-g6feab505b7:

  • Upstream 14.2.12 release see https://ceph.io/releases/v14-2-12-nautilus-released/
    • (bsc#1169134) mgr/dashboard: document Prometheus' security model
    • (bsc#1170487) monclient: schedule first tick using mon_client_hunt_interval
    • (bsc#1174591) mgr/dashboard: Unable to edit iSCSI logged-in client
    • (bsc#1174591) mgr/dashboard: Allow editing iSCSI targets with initiators logged-in
    • (bsc#1175061) os/bluestore: dump onode that has too many spanning blobs
    • (bsc#1175240) pybind/mgr/restful: use dict.items() for py3 compatible
  • (bsc#1175781) ceph-volume: lvmcache: print help correctly
  • spec: move python-enum34 into rhel 7 conditional

  • Update to 14.2.11-394-g9cbbc473c0:

  • Upstream 14.2.11 release see https://ceph.io/releases/v14-2-11-nautilus-released/

    • mgr/progress: Skip pg_summary update if _events dict is empty (bsc#1167477) (bsc#1172142) (bsc#1171956)
    • mgr/dashboard: Allow to edit iSCSI target with active session (bsc#1173339)
  • Update to 14.2.10-392-gb3a13b81cb:

  • Upstream 14.2.10 release see https://ceph.io/releases/v14-2-10-nautilus-released/

    • mgr: Improve internal python to c++ interface (bsc#1167477)
  • Update to 14.2.9-970-ged84cae0c9:

  • rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader (bsc#1171921, CVE-2020-10753)

  • Update to 14.2.9-969-g9917342dc8d:

  • rebase on top of upstream nautilus, SHA1 ccd9c04f88e53aef7e4f1068ce1221fa3b97450d
  • cmake: Improve test for 16-byte atomic support on IBM Z
  • (jsc#SES-680) monitoring: add details to Prometheus alerts
  • (bsc#1155045) mgr/dashboard: add debug mode, and accept expected exception when SSL handshaking
  • (bsc#1152100) monitoring: alert for prediction of disk and pool fill up broken
  • (bsc#1155262) mgr/dashboard: iSCSI targets not available if any gateway is down
  • (bsc#1159689) os/bluestore: more flexible DB volume space usage
  • (bsc#1156087) ceph-volume: make get_devices fs location independent
  • (bsc#1156409) monitoring: wait before firing osd full alert
  • (bsc#1160626) mgr/dashboard: Unable to remove an iSCSI gateway that is already in use
  • (bsc#1161718) mount.ceph: remove arbitrary limit on size of name= option
  • (bsc#1162553) ceph-volume: strip _dmcrypt suffix in simple scan json output
  • (bsc#1163119) mgr/dashboard: Not able to restrict bucket creation for new user
  • (bsc#1164571) mgr/dashboard: Prevent iSCSI target recreation when editing controls
  • (bsc#1165713) mgr/dashboard: Repair broken grafana panels
  • (bsc#1165835) rgw: get barbican secret key request maybe return error code
  • (bsc#1165840) rgw: making implicit_tenants backwards compatible
  • (bsc#1166297) mgr/dashboard: Repair broken grafana panels
  • (bsc#1166393) mgr/dashboard: KeyError on dashboard reload
  • (bsc#1166624) mgr/dashboard: Fix iSCSI's username and password validation
  • (bsc#1166670) monitoring: root volume full alert fires false positives
  • (bsc#1166932) mgr: synchronize ClusterState's health and mon_status
  • (bsc#1168403) mgr/dashboard: Add more debug information to Dashboard RGW backend
  • (bsc#1169356) rgw: reshard: skip stale bucket id entries from reshard queue
  • (bsc#1170938) mon/OSDMonitor: allow trimming maps even if osds are down
  • (bsc#1171367) Set OSD's bluefs-buffered-io param to false by default

  • Version: 0.9.33

  • drop workarounds for old ceph-volume lvm batch command

  • runners/upgrade: Add SES6->7 pre-upgrade checks

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Enterprise Storage 6
    zypper in -t patch SUSE-Storage-6-2020-3257=1

Package List:

  • SUSE Enterprise Storage 6 (noarch)
    • deepsea-0.9.33+git.0.ed16d26e-3.27.1
    • deepsea-cli-0.9.33+git.0.ed16d26e-3.27.1

References: