Security update for ceph

SUSE Security Update: Security update for ceph

---

Announcement ID:	SUSE-SU-2016:0806-1
Rating:	moderate
References:	#926756 #931451 #941628 #945206 #964907 #965619
Affected Products:	SUSE Enterprise Storage 1.0

---

An update that solves one vulnerability and has 5 fixes is now available.

Description:

This update provides Ceph 0.8.11, which fixes the following security issue:

- CVE-2015-5245: A CRLF injection vulnerability in the Ceph Object Gateway
(aka radosgw
or RGW) could allow remote attackers to inject arbitrary HTTP headers
and conduct HTTP response splitting attacks via a crafted bucket name.
(bsc#945206)

The following non-security issues have been fixed:

- Move ceph-rbdnamer binary from package "ceph" to "ceph-common".
(bsc#965619)
- Install /usr/bin/radosgw with mode 0750 and owner root:www. (bsc#964907)
- Loop over all ceph-related systemd units on rpm removal. (bsc#941628)
- Perform ceph-disk activate in separate systemd services, rather than in
udev directly. (bsc#926756)
- Add hyphen to systemctl reload in logrotate.conf to avoid matching
ceph.target. (bsc#931451)

Ceph 0.8.11 also brings a significant number of bug fixes and
enhancements. For a comprehensive list please refer to the package's
change log.

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

• SUSE Enterprise Storage 1.0:
  zypper in -t patch SUSE-Storage-1.0-2016-473=1

To bring your system up-to-date, use "zypper patch".

Package List:

• SUSE Enterprise Storage 1.0 (x86_64):
  • ceph-0.80.11-8.1
  • ceph-common-0.80.11-8.1
  • ceph-common-debuginfo-0.80.11-8.1
  • ceph-debuginfo-0.80.11-8.1
  • ceph-debugsource-0.80.11-8.1
  • ceph-fuse-0.80.11-8.1
  • ceph-fuse-debuginfo-0.80.11-8.1
  • ceph-radosgw-0.80.11-8.1
  • ceph-radosgw-debuginfo-0.80.11-8.1
  • ceph-test-0.80.11-8.1
  • ceph-test-debuginfo-0.80.11-8.1
  • libcephfs1-0.80.11-8.1
  • libcephfs1-debuginfo-0.80.11-8.1
  • librados2-0.80.11-8.1
  • librados2-debuginfo-0.80.11-8.1
  • librbd1-0.80.11-8.1
  • librbd1-debuginfo-0.80.11-8.1
  • python-ceph-0.80.11-8.1
  • rbd-fuse-0.80.11-8.1
  • rbd-fuse-debuginfo-0.80.11-8.1

References:

• https://www.suse.com/security/cve/CVE-2015-5245.html
• https://bugzilla.suse.com/926756
• https://bugzilla.suse.com/931451
• https://bugzilla.suse.com/941628
• https://bugzilla.suse.com/945206
• https://bugzilla.suse.com/964907
• https://bugzilla.suse.com/965619