Security update for ceph SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:0806-1 Final 1 1 2016-03-17T14:39:05Z current 2016-03-17T14:39:05Z 2016-03-17T14:39:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ceph This update provides Ceph 0.8.11, which fixes the following security issue: - CVE-2015-5245: A CRLF injection vulnerability in the Ceph Object Gateway (aka radosgw or RGW) could allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted bucket name. (bsc#945206) The following non-security issues have been fixed: - Move ceph-rbdnamer binary from package 'ceph' to 'ceph-common'. (bsc#965619) - Install /usr/bin/radosgw with mode 0750 and owner root:www. (bsc#964907) - Loop over all ceph-related systemd units on rpm removal. (bsc#941628) - Perform ceph-disk activate in separate systemd services, rather than in udev directly. (bsc#926756) - Add hyphen to systemctl reload in logrotate.conf to avoid matching ceph.target. (bsc#931451) Ceph 0.8.11 also brings a significant number of bug fixes and enhancements. For a comprehensive list please refer to the package's change log. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-Storage-1.0-2016-473 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20160806-1/ Link for SUSE-SU-2016:0806-1 https://lists.suse.com/pipermail/sle-security-updates/2016-March/001952.html E-Mail link for SUSE-SU-2016:0806-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/926756 SUSE Bug 926756 https://bugzilla.suse.com/931451 SUSE Bug 931451 https://bugzilla.suse.com/941628 SUSE Bug 941628 https://bugzilla.suse.com/945206 SUSE Bug 945206 https://bugzilla.suse.com/964907 SUSE Bug 964907 https://bugzilla.suse.com/965619 SUSE Bug 965619 https://www.suse.com/security/cve/CVE-2015-5245/ SUSE CVE CVE-2015-5245 page SUSE Enterprise Storage 1.0 ceph-0.80.11-8.1 ceph-common-0.80.11-8.1 ceph-fuse-0.80.11-8.1 ceph-radosgw-0.80.11-8.1 ceph-test-0.80.11-8.1 libcephfs1-0.80.11-8.1 librados2-0.80.11-8.1 librbd1-0.80.11-8.1 python-ceph-0.80.11-8.1 rbd-fuse-0.80.11-8.1 ceph-0.80.11-8.1 as a component of SUSE Enterprise Storage 1.0 ceph-common-0.80.11-8.1 as a component of SUSE Enterprise Storage 1.0 ceph-fuse-0.80.11-8.1 as a component of SUSE Enterprise Storage 1.0 ceph-radosgw-0.80.11-8.1 as a component of SUSE Enterprise Storage 1.0 ceph-test-0.80.11-8.1 as a component of SUSE Enterprise Storage 1.0 libcephfs1-0.80.11-8.1 as a component of SUSE Enterprise Storage 1.0 librados2-0.80.11-8.1 as a component of SUSE Enterprise Storage 1.0 librbd1-0.80.11-8.1 as a component of SUSE Enterprise Storage 1.0 python-ceph-0.80.11-8.1 as a component of SUSE Enterprise Storage 1.0 rbd-fuse-0.80.11-8.1 as a component of SUSE Enterprise Storage 1.0 CRLF injection vulnerability in the Ceph Object Gateway (aka radosgw or RGW) in Ceph before 0.94.4 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted bucket name. CVE-2015-5245 SUSE Enterprise Storage 1.0:ceph-0.80.11-8.1 SUSE Enterprise Storage 1.0:ceph-common-0.80.11-8.1 SUSE Enterprise Storage 1.0:ceph-fuse-0.80.11-8.1 SUSE Enterprise Storage 1.0:ceph-radosgw-0.80.11-8.1 SUSE Enterprise Storage 1.0:ceph-test-0.80.11-8.1 SUSE Enterprise Storage 1.0:libcephfs1-0.80.11-8.1 SUSE Enterprise Storage 1.0:librados2-0.80.11-8.1 SUSE Enterprise Storage 1.0:librbd1-0.80.11-8.1 SUSE Enterprise Storage 1.0:python-ceph-0.80.11-8.1 SUSE Enterprise Storage 1.0:rbd-fuse-0.80.11-8.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160806-1/ https://www.suse.com/security/cve/CVE-2015-5245.html CVE-2015-5245 https://bugzilla.suse.com/945206 SUSE Bug 945206