Security update for ceph SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:1576-1 Final 1 1 2018-06-07T13:11:11Z current 2018-06-07T13:11:11Z 2018-06-07T13:11:11Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ceph This update for ceph to 12.2.5-407-g5e7ea8cf03 fixes the following issues: Security issue fixed: - CVE-2018-7262: The rgw_civetweb.cc RGWCivetWeb::init_env function in radosgw doesn't handle malformed HTTP headers properly, allowing for denial of service. rgw: make init env methods return an error (bsc#1081379) Other issues fixed: - osd: do not crash on empty snapset (bsc#1074301) - mon: add 'ceph osd pool get erasure allow_ec_overwrites' command (bsc#1087269) - journal: limit number of appends sent in one librados op (bsc#1086340) - RGW user stats fixes (bsc#1087493) - rgw openssl fixes (bsc#1079076, bsc#1081379) - rocksdb: fixes early metadata spill over to slow device in bluefs (bsc#1071386) - mon: reenable timer to send digest when paxos is temporarily inactive (bsc#1070357) - fsid mismatch when creating additional OSDs (bsc#1080788) - crash in civetweb/RGW (bsc#1081600) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-Storage-5-2018-1092 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20181576-1/ Link for SUSE-SU-2018:1576-1 https://lists.suse.com/pipermail/sle-security-updates/2018-June/004163.html E-Mail link for SUSE-SU-2018:1576-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1070357 SUSE Bug 1070357 https://bugzilla.suse.com/1071386 SUSE Bug 1071386 https://bugzilla.suse.com/1074301 SUSE Bug 1074301 https://bugzilla.suse.com/1079076 SUSE Bug 1079076 https://bugzilla.suse.com/1080788 SUSE Bug 1080788 https://bugzilla.suse.com/1081379 SUSE Bug 1081379 https://bugzilla.suse.com/1081600 SUSE Bug 1081600 https://bugzilla.suse.com/1086340 SUSE Bug 1086340 https://bugzilla.suse.com/1087269 SUSE Bug 1087269 https://bugzilla.suse.com/1087493 SUSE Bug 1087493 https://www.suse.com/security/cve/CVE-2018-7262/ SUSE CVE CVE-2018-7262 page SUSE Enterprise Storage 5 ceph-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 ceph-base-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 ceph-common-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 ceph-fuse-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 ceph-mds-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 ceph-mgr-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 ceph-mon-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 ceph-osd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 ceph-radosgw-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 libcephfs2-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 librados2-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 libradosstriper1-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 librbd1-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 librgw2-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 python-ceph-compat-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 python-cephfs-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 python-rados-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 python-rbd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 python-rgw-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 python3-ceph-argparse-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 python3-cephfs-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 python3-rados-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 python3-rbd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 python3-rgw-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 rbd-fuse-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 rbd-mirror-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 rbd-nbd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 ceph-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 ceph-base-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 ceph-common-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 ceph-fuse-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 ceph-mds-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 ceph-mgr-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 ceph-mon-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 ceph-osd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 ceph-radosgw-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 libcephfs2-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 librados2-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 libradosstriper1-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 librbd1-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 librgw2-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 python-ceph-compat-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 python-cephfs-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 python-rados-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 python-rbd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 python-rgw-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 python3-ceph-argparse-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 python3-cephfs-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 python3-rados-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 python3-rbd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 python3-rgw-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 rbd-fuse-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 rbd-mirror-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 rbd-nbd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 as a component of SUSE Enterprise Storage 5 In Ceph before 12.2.3 and 13.x through 13.0.1, the rgw_civetweb.cc RGWCivetWeb::init_env function in radosgw doesn't handle malformed HTTP headers properly, allowing for denial of service. CVE-2018-7262 SUSE Enterprise Storage 5:ceph-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:ceph-base-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:ceph-common-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:ceph-fuse-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:ceph-mds-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:ceph-mgr-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:ceph-mon-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:ceph-osd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:ceph-radosgw-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:libcephfs2-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:librados2-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:libradosstriper1-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:librbd1-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:librgw2-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:python-ceph-compat-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:python-cephfs-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:python-rados-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:python-rbd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:python-rgw-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:python3-ceph-argparse-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:python3-cephfs-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:python3-rados-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:python3-rbd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:python3-rgw-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:rbd-fuse-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:rbd-mirror-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 SUSE Enterprise Storage 5:rbd-nbd-12.2.5+git.1524775272.5e7ea8cf03-2.13.3 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20181576-1/ https://www.suse.com/security/cve/CVE-2018-7262.html CVE-2018-7262 https://bugzilla.suse.com/1081379 SUSE Bug 1081379