Security update for ceph
Announcement ID: | SUSE-SU-2016:0806-1 |
Rating: | moderate |
References: | #926756 #931451 #941628 #945206 #964907 #965619 |
Affected Products: |
An update that solves one vulnerability and has 5 fixes is now available.
Description:
This update provides Ceph 0.8.11, which fixes the following security issue:
- CVE-2015-5245: A CRLF injection vulnerability in the Ceph Object Gateway
(aka radosgw
or RGW) could allow remote attackers to inject arbitrary HTTP headers
and conduct HTTP response splitting attacks via a crafted bucket name.
(bsc#945206)
The following non-security issues have been fixed:
- Move ceph-rbdnamer binary from package "ceph" to "ceph-common".
(bsc#965619)
- Install /usr/bin/radosgw with mode 0750 and owner root:www. (bsc#964907)
- Loop over all ceph-related systemd units on rpm removal. (bsc#941628)
- Perform ceph-disk activate in separate systemd services, rather than in
udev directly. (bsc#926756)
- Add hyphen to systemctl reload in logrotate.conf to avoid matching
ceph.target. (bsc#931451)
Ceph 0.8.11 also brings a significant number of bug fixes and
enhancements. For a comprehensive list please refer to the package's
change log.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Enterprise Storage 1.0:
zypper in -t patch SUSE-Storage-1.0-2016-473=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Enterprise Storage 1.0 (x86_64):
- ceph-0.80.11-8.1
- ceph-common-0.80.11-8.1
- ceph-common-debuginfo-0.80.11-8.1
- ceph-debuginfo-0.80.11-8.1
- ceph-debugsource-0.80.11-8.1
- ceph-fuse-0.80.11-8.1
- ceph-fuse-debuginfo-0.80.11-8.1
- ceph-radosgw-0.80.11-8.1
- ceph-radosgw-debuginfo-0.80.11-8.1
- ceph-test-0.80.11-8.1
- ceph-test-debuginfo-0.80.11-8.1
- libcephfs1-0.80.11-8.1
- libcephfs1-debuginfo-0.80.11-8.1
- librados2-0.80.11-8.1
- librados2-debuginfo-0.80.11-8.1
- librbd1-0.80.11-8.1
- librbd1-debuginfo-0.80.11-8.1
- python-ceph-0.80.11-8.1
- rbd-fuse-0.80.11-8.1
- rbd-fuse-debuginfo-0.80.11-8.1