Security update for ceph

Announcement ID:	SUSE-SU-2016:0806-1
Rating:	moderate
References:	bsc#926756 bsc#931451 bsc#941628 bsc#945206 bsc#964907 bsc#965619
Cross-References:	CVE-2015-5245
CVSS scores:
Affected Products:	SUSE Enterprise Storage 1.0 1

An update that solves one vulnerability and has five security fixes can now be installed.

Description:

This update provides Ceph 0.8.11, which fixes the following security issue:

• CVE-2015-5245: A CRLF injection vulnerability in the Ceph Object Gateway (aka radosgw or RGW) could allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted bucket name. (bsc#945206)

The following non-security issues have been fixed:

• Move ceph-rbdnamer binary from package "ceph" to "ceph-common". (bsc#965619)
• Install /usr/bin/radosgw with mode 0750 and owner root:www. (bsc#964907)
• Loop over all ceph-related systemd units on rpm removal. (bsc#941628)
• Perform ceph-disk activate in separate systemd services, rather than in udev directly. (bsc#926756)
• Add hyphen to systemctl reload in logrotate.conf to avoid matching ceph.target. (bsc#931451)

Ceph 0.8.11 also brings a significant number of bug fixes and enhancements. For a comprehensive list please refer to the package's change log.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Enterprise Storage 1.0 1
  zypper in -t patch SUSE-Storage-1.0-2016-473=1

Package List:

• SUSE Enterprise Storage 1.0 1 (x86_64)
  • ceph-common-debuginfo-0.80.11-8.1
  • ceph-debugsource-0.80.11-8.1
  • librbd1-0.80.11-8.1
  • librados2-debuginfo-0.80.11-8.1
  • ceph-radosgw-0.80.11-8.1
  • ceph-test-debuginfo-0.80.11-8.1
  • python-ceph-0.80.11-8.1
  • ceph-common-0.80.11-8.1
  • rbd-fuse-0.80.11-8.1
  • ceph-debuginfo-0.80.11-8.1
  • ceph-0.80.11-8.1
  • rbd-fuse-debuginfo-0.80.11-8.1
  • ceph-radosgw-debuginfo-0.80.11-8.1
  • ceph-fuse-debuginfo-0.80.11-8.1
  • ceph-test-0.80.11-8.1
  • librbd1-debuginfo-0.80.11-8.1
  • ceph-fuse-0.80.11-8.1
  • librados2-0.80.11-8.1
  • libcephfs1-0.80.11-8.1
  • libcephfs1-debuginfo-0.80.11-8.1

References:

• https://www.suse.com/security/cve/CVE-2015-5245.html
• https://bugzilla.suse.com/show_bug.cgi?id=926756
• https://bugzilla.suse.com/show_bug.cgi?id=931451
• https://bugzilla.suse.com/show_bug.cgi?id=941628
• https://bugzilla.suse.com/show_bug.cgi?id=945206
• https://bugzilla.suse.com/show_bug.cgi?id=964907
• https://bugzilla.suse.com/show_bug.cgi?id=965619