Security update for ceph SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0494-1 Final 1 1 2020-04-10T08:18:45Z current 2020-04-10T08:18:45Z 2020-04-10T08:18:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ceph This update for ceph fixes the following issues: - CVE-2020-1759: Fixed once reuse in msgr V2 secure mode (bsc#1166403) - CVE-2020-1760: Fixed XSS due to RGW GetObject header-splitting (bsc#1166484). This update was imported from the SUSE:SLE-15-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-494 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OJSWL6WBI6VWKUYIMTPZODQDWMNXKFCV/ E-Mail link for openSUSE-SU-2020:0494-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1166403 SUSE Bug 1166403 https://bugzilla.suse.com/1166484 SUSE Bug 1166484 https://www.suse.com/security/cve/CVE-2020-1759/ SUSE CVE CVE-2020-1759 page https://www.suse.com/security/cve/CVE-2020-1760/ SUSE CVE CVE-2020-1760 page openSUSE Leap 15.1 ceph-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-base-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-common-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-dashboard-e2e-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-fuse-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-grafana-dashboards-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-mds-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-mgr-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-mgr-dashboard-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-mgr-diskprediction-cloud-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-mgr-diskprediction-local-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-mgr-k8sevents-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-mgr-rook-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-mgr-ssh-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-mon-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-osd-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-prometheus-alerts-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-radosgw-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-resource-agents-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-test-14.2.5.389+gb0f23ac248-lp151.2.13.1 cephfs-shell-14.2.5.389+gb0f23ac248-lp151.2.13.1 libcephfs-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 libcephfs2-14.2.5.389+gb0f23ac248-lp151.2.13.1 librados-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 librados2-14.2.5.389+gb0f23ac248-lp151.2.13.1 libradospp-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 libradosstriper-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 libradosstriper1-14.2.5.389+gb0f23ac248-lp151.2.13.1 librbd-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 librbd1-14.2.5.389+gb0f23ac248-lp151.2.13.1 librgw-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 librgw2-14.2.5.389+gb0f23ac248-lp151.2.13.1 python3-ceph-argparse-14.2.5.389+gb0f23ac248-lp151.2.13.1 python3-cephfs-14.2.5.389+gb0f23ac248-lp151.2.13.1 python3-rados-14.2.5.389+gb0f23ac248-lp151.2.13.1 python3-rbd-14.2.5.389+gb0f23ac248-lp151.2.13.1 python3-rgw-14.2.5.389+gb0f23ac248-lp151.2.13.1 rados-objclass-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 rbd-fuse-14.2.5.389+gb0f23ac248-lp151.2.13.1 rbd-mirror-14.2.5.389+gb0f23ac248-lp151.2.13.1 rbd-nbd-14.2.5.389+gb0f23ac248-lp151.2.13.1 ceph-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-base-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-common-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-dashboard-e2e-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-fuse-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-grafana-dashboards-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-mds-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-mgr-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-mgr-dashboard-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-mgr-diskprediction-cloud-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-mgr-diskprediction-local-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-mgr-k8sevents-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-mgr-rook-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-mgr-ssh-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-mon-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-osd-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-prometheus-alerts-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-radosgw-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-resource-agents-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 ceph-test-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 cephfs-shell-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 libcephfs-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 libcephfs2-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 librados-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 librados2-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 libradospp-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 libradosstriper-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 libradosstriper1-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 librbd-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 librbd1-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 librgw-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 librgw2-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 python3-ceph-argparse-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 python3-cephfs-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 python3-rados-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 python3-rbd-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 python3-rgw-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 rados-objclass-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 rbd-fuse-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 rbd-mirror-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 rbd-nbd-14.2.5.389+gb0f23ac248-lp151.2.13.1 as a component of openSUSE Leap 15.1 A vulnerability was found in Red Hat Ceph Storage 4 and Red Hat Openshift Container Storage 4.2 where, A nonce reuse vulnerability was discovered in the secure mode of the messenger v2 protocol, which can allow an attacker to forge auth tags and potentially manipulate the data by leveraging the reuse of a nonce in a session. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. CVE-2020-1759 openSUSE Leap 15.1:ceph-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-base-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-common-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-dashboard-e2e-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-fuse-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-grafana-dashboards-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mds-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mgr-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mgr-dashboard-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mgr-diskprediction-cloud-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mgr-diskprediction-local-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mgr-k8sevents-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mgr-rook-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mgr-ssh-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mon-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-osd-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-prometheus-alerts-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-radosgw-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-resource-agents-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-test-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:cephfs-shell-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:libcephfs-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:libcephfs2-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:librados-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:librados2-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:libradospp-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:libradosstriper-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:libradosstriper1-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:librbd-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:librbd1-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:librgw-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:librgw2-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:python3-ceph-argparse-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:python3-cephfs-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:python3-rados-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:python3-rbd-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:python3-rgw-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:rados-objclass-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:rbd-fuse-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:rbd-mirror-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:rbd-nbd-14.2.5.389+gb0f23ac248-lp151.2.13.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OJSWL6WBI6VWKUYIMTPZODQDWMNXKFCV/ https://www.suse.com/security/cve/CVE-2020-1759.html CVE-2020-1759 https://bugzilla.suse.com/1166403 SUSE Bug 1166403 A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input. CVE-2020-1760 openSUSE Leap 15.1:ceph-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-base-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-common-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-dashboard-e2e-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-fuse-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-grafana-dashboards-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mds-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mgr-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mgr-dashboard-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mgr-diskprediction-cloud-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mgr-diskprediction-local-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mgr-k8sevents-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mgr-rook-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mgr-ssh-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-mon-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-osd-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-prometheus-alerts-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-radosgw-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-resource-agents-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:ceph-test-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:cephfs-shell-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:libcephfs-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:libcephfs2-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:librados-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:librados2-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:libradospp-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:libradosstriper-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:libradosstriper1-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:librbd-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:librbd1-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:librgw-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:librgw2-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:python3-ceph-argparse-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:python3-cephfs-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:python3-rados-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:python3-rbd-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:python3-rgw-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:rados-objclass-devel-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:rbd-fuse-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:rbd-mirror-14.2.5.389+gb0f23ac248-lp151.2.13.1 openSUSE Leap 15.1:rbd-nbd-14.2.5.389+gb0f23ac248-lp151.2.13.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OJSWL6WBI6VWKUYIMTPZODQDWMNXKFCV/ https://www.suse.com/security/cve/CVE-2020-1760.html CVE-2020-1760 https://bugzilla.suse.com/1166484 SUSE Bug 1166484