Security update for ceph, deepsea

Announcement ID:	SUSE-SU-2021:1472-1
Rating:	important
References:	bsc#1145463 bsc#1174466 bsc#1177200 bsc#1178016 bsc#1178216 bsc#1178235 bsc#1178657 bsc#1178837 bsc#1178860 bsc#1178905 bsc#1179997 bsc#1180118 bsc#1180594 bsc#1181183 bsc#1181378 bsc#1181665 bsc#1183074 bsc#1183487 bsc#1183600
Cross-References:	CVE-2020-25678 CVE-2020-27839 CVE-2021-20288
CVSS scores:	CVE-2020-25678 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVE-2020-27839 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2020-27839 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2021-20288 ( SUSE ): 8.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20288 ( NVD ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Enterprise Storage 6 SUSE Linux Enterprise Server 15 SP1

An update that solves three vulnerabilities and has 16 security fixes can now be installed.

Description:

This update for ceph, deepsea fixes the following issues:

• ceph was updated to 14.2.20-402-g6aa76c6815:

  • CVE-2021-20288: Fixed unauthorized global_id reuse (bsc#1183074).
  • CVE-2020-25678: Do not add sensitive information in Ceph log files (bsc#1178905).
  • CVE-2020-27839: Use secure cookies to store JWT Token (bsc#1179997).
  • mgr/dashboard: prometheus alerting: add some leeway for package drops and errors (bsc#1145463)
  • mon: have 'mon stat' output json as well (bsc#1174466)
  • rpm: ceph-mgr-dashboard recommends python3-saml on SUSE (bsc#1177200)
  • mgr/dashboard: Display a warning message in Dashboard when debug mode is enabled (bsc#1178235)
  • rgw: cls/user: set from_index for reset stats calls (bsc#1178837)
  • mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860)
  • bluestore: provide a different name for fallback allocator (bsc#1180118)
  • test/run-cli-tests: use cram from github (bsc#1181378)
  • mgr/dashboard: fix "Python2 Cookie module import fails on Python3" (bsc#1183487)
  • common: make ms_bind_msgr2 default to 'false' (bsc#1180594)

• deapsea was updated to 0.9.35

  • osd: add method to zap simple osds (bsc#1178657, bsc#1178216)
  • upgrade to cephadm: fix Drive Group generation (bsc#1181665)
  • Rework config change detection to handle global.conf correctly (bsc#1181183)
  • Use -i to pass credentials to ceph dashboard commands (bsc#1183600)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Enterprise Storage 6
  zypper in -t patch SUSE-Storage-6-2021-1472=1

Package List:

• SUSE Enterprise Storage 6 (noarch)
  • deepsea-0.9.35+git.0.5a1dc9fe-3.34.1
  • deepsea-cli-0.9.35+git.0.5a1dc9fe-3.34.1

References:

• https://www.suse.com/security/cve/CVE-2020-25678.html
• https://www.suse.com/security/cve/CVE-2020-27839.html
• https://www.suse.com/security/cve/CVE-2021-20288.html
• https://bugzilla.suse.com/show_bug.cgi?id=1145463
• https://bugzilla.suse.com/show_bug.cgi?id=1174466
• https://bugzilla.suse.com/show_bug.cgi?id=1177200
• https://bugzilla.suse.com/show_bug.cgi?id=1178016
• https://bugzilla.suse.com/show_bug.cgi?id=1178216
• https://bugzilla.suse.com/show_bug.cgi?id=1178235
• https://bugzilla.suse.com/show_bug.cgi?id=1178657
• https://bugzilla.suse.com/show_bug.cgi?id=1178837
• https://bugzilla.suse.com/show_bug.cgi?id=1178860
• https://bugzilla.suse.com/show_bug.cgi?id=1178905
• https://bugzilla.suse.com/show_bug.cgi?id=1179997
• https://bugzilla.suse.com/show_bug.cgi?id=1180118
• https://bugzilla.suse.com/show_bug.cgi?id=1180594
• https://bugzilla.suse.com/show_bug.cgi?id=1181183
• https://bugzilla.suse.com/show_bug.cgi?id=1181378
• https://bugzilla.suse.com/show_bug.cgi?id=1181665
• https://bugzilla.suse.com/show_bug.cgi?id=1183074
• https://bugzilla.suse.com/show_bug.cgi?id=1183487
• https://bugzilla.suse.com/show_bug.cgi?id=1183600