Security update for SES 1.0

SUSE Security Update: Security update for SES 1.0

Announcement ID:	SUSE-SU-2015:1102-1
Rating:	moderate
References:	#889053 #903007 #907510 #915567 #915783 #919091 #919313 #919965 #920926 #924269 #924894 #927862 #929553 #929886 #929914
Affected Products:	SUSE Enterprise Storage 1.0

An update that solves three vulnerabilities and has 12 fixes is now available.

Description:

This collective update for SUSE Enterprise Storage 1.0 provides fixes and
enhancements.

ceph (update to version 0.80.9):

- Support non-ASCII characters. (bnc#907510)
- Fixes issue with more than one OSD / MON on same node. (bnc#927862)
- Reinstates Environment=CLUSTER=ceph lines removed by last patch.
(bnc#915567)
- Use same systemd service files for all cluster names. (bnc#915567)
- In OSDMonitor fallback to json-pretty in case of invalid formatter.
(bnc#919313)
- Increase max files to 131072 for ceph-osd daemon. (bnc#924894)
- Fix "OSDs shutdown during rados benchmark tests". (bnc#924269)
- Add SuSEfirewall2 service files for Ceph MON, OSD and MDS. (bnc#919091)
- Added support for multiple cluster names with systemd to ceph-disk.
(bnc#915567)
- Move udev rules for rbd devices to the client package ceph-common.
- Several issues reported upstream have been fixed: #9973 #9918 #9907
#9877 #9854 #9587 #9479 #9478 #9254 #5595 #10978 #10965 #10907 #10553
#10471 #10421 #10307 #10299 #10271 #10271 #10270 #10262 #10103 #10095.

ceph-deploy:

- Drop support for multiple customer names on the same hardware.
(bsc#915567)
- Check for errors when generating rgw keys. (bsc#915783)
- Do not import new repository keys automatically when installing packages
with Zypper. (bsc#919965)
- Improved detection of disk vs. OSD block devices with a simple set of
tests. (bsc#889053)
- Do not create keyring files as world-readable. (bsc#920926,
CVE-2015-3010)
- Added support for multiple cluster names with systemd to ceph-disk.
(bnc#915567)

calamari-clients:

- Reduce krakenFailThreshold to 5 minutes. (bsc#903007)

python-Pillow (update to version 2.7.0):

- Fix issues in Jpeg2KImagePlugin and IcnsImagePlugin which could have
allowed denial of service attacks. (CVE-2014-3598, CVE-2014-3589)

python-djangorestframework:

- Escape URLs when replacing format= query parameter, as used in dropdown
on GET button in browsable API to allow explicit selection of JSON vs
HTML output. (bsc#929914)
- Escape request path when it is include as part of the login and logout
links in the browsable API. (bsc#929886)

For a comprehensive list of changes please refer to each package's change
log.

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

SUSE Enterprise Storage 1.0:
zypper in -t patch SUSE-Storage-1.0-2015-250=1

To bring your system up-to-date, use "zypper patch".

Package List:

SUSE Enterprise Storage 1.0 (x86_64):
- ceph-0.80.9-5.1
- ceph-common-0.80.9-5.1
- ceph-common-debuginfo-0.80.9-5.1
- ceph-debuginfo-0.80.9-5.1
- ceph-debugsource-0.80.9-5.1
- ceph-fuse-0.80.9-5.1
- ceph-fuse-debuginfo-0.80.9-5.1
- ceph-radosgw-0.80.9-5.1
- ceph-radosgw-debuginfo-0.80.9-5.1
- ceph-test-0.80.9-5.1
- ceph-test-debuginfo-0.80.9-5.1
- libcephfs1-0.80.9-5.1
- libcephfs1-debuginfo-0.80.9-5.1
- librados2-0.80.9-5.1
- librados2-debuginfo-0.80.9-5.1
- librbd1-0.80.9-5.1
- librbd1-debuginfo-0.80.9-5.1
- python-Pillow-2.7.0-4.1
- python-Pillow-debuginfo-2.7.0-4.1
- python-Pillow-debugsource-2.7.0-4.1
- python-ceph-0.80.9-5.1
- rbd-fuse-0.80.9-5.1
- rbd-fuse-debuginfo-0.80.9-5.1
SUSE Enterprise Storage 1.0 (noarch):
- calamari-clients-1.2.2+git.1428648634.40dfe5b-3.1
- ceph-deploy-1.5.19+git.1431355031.6178cf3-9.1
- python-djangorestframework-2.3.12-4.2

Security update for SES 1.0

Description:

Patch Instructions:

Package List:

References: