Security update for ceph SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:0306-1 Final 1 1 2019-03-08T10:13:21Z current 2019-03-08T10:13:21Z 2019-03-08T10:13:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ceph This update for ceph fixes the following issues: Security issues fixed: - CVE-2018-14662: mon: limit caps allowed to access the config store (bsc#1111177) - CVE-2018-16846: rgw: enforce bounds on max-keys/max-uploads/max-parts (bsc#1114710) - CVE-2018-16889: rgw: sanitize customer encryption keys from log output in v4 auth (bsc#1121567) Non-security issue fixed: - os/bluestore: avoid frequent allocator dump on bluefs rebalance failure (bsc#1113246) This update was imported from the SUSE:SLE-12-SP3:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-03/msg00016.html E-Mail link for openSUSE-SU-2019:0306-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 ceph-12.2.10+git.1549630712.bb089269ea-21.1 ceph-base-12.2.10+git.1549630712.bb089269ea-21.1 ceph-common-12.2.10+git.1549630712.bb089269ea-21.1 ceph-fuse-12.2.10+git.1549630712.bb089269ea-21.1 ceph-mds-12.2.10+git.1549630712.bb089269ea-21.1 ceph-mgr-12.2.10+git.1549630712.bb089269ea-21.1 ceph-mon-12.2.10+git.1549630712.bb089269ea-21.1 ceph-osd-12.2.10+git.1549630712.bb089269ea-21.1 ceph-radosgw-12.2.10+git.1549630712.bb089269ea-21.1 ceph-resource-agents-12.2.10+git.1549630712.bb089269ea-21.1 ceph-test-12.2.10+git.1549630712.bb089269ea-21.1 libcephfs-devel-12.2.10+git.1549630712.bb089269ea-21.1 libcephfs2-12.2.10+git.1549630712.bb089269ea-21.1 librados-devel-12.2.10+git.1549630712.bb089269ea-21.1 librados2-12.2.10+git.1549630712.bb089269ea-21.1 libradosstriper-devel-12.2.10+git.1549630712.bb089269ea-21.1 libradosstriper1-12.2.10+git.1549630712.bb089269ea-21.1 librbd-devel-12.2.10+git.1549630712.bb089269ea-21.1 librbd1-12.2.10+git.1549630712.bb089269ea-21.1 librgw-devel-12.2.10+git.1549630712.bb089269ea-21.1 librgw2-12.2.10+git.1549630712.bb089269ea-21.1 python-ceph-compat-12.2.10+git.1549630712.bb089269ea-21.1 python-cephfs-12.2.10+git.1549630712.bb089269ea-21.1 python-rados-12.2.10+git.1549630712.bb089269ea-21.1 python-rbd-12.2.10+git.1549630712.bb089269ea-21.1 python-rgw-12.2.10+git.1549630712.bb089269ea-21.1 python3-ceph-argparse-12.2.10+git.1549630712.bb089269ea-21.1 python3-cephfs-12.2.10+git.1549630712.bb089269ea-21.1 python3-rados-12.2.10+git.1549630712.bb089269ea-21.1 python3-rbd-12.2.10+git.1549630712.bb089269ea-21.1 python3-rgw-12.2.10+git.1549630712.bb089269ea-21.1 rados-objclass-devel-12.2.10+git.1549630712.bb089269ea-21.1 rbd-fuse-12.2.10+git.1549630712.bb089269ea-21.1 rbd-mirror-12.2.10+git.1549630712.bb089269ea-21.1 rbd-nbd-12.2.10+git.1549630712.bb089269ea-21.1 ceph-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 ceph-base-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 ceph-common-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 ceph-fuse-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 ceph-mds-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 ceph-mgr-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 ceph-mon-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 ceph-osd-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 ceph-radosgw-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 ceph-resource-agents-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 ceph-test-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 libcephfs-devel-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 libcephfs2-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 librados-devel-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 librados2-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 libradosstriper-devel-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 libradosstriper1-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 librbd-devel-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 librbd1-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 librgw-devel-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 librgw2-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 python-ceph-compat-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 python-cephfs-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 python-rados-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 python-rbd-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 python-rgw-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 python3-ceph-argparse-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 python3-cephfs-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 python3-rados-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 python3-rbd-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 python3-rgw-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 rados-objclass-devel-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 rbd-fuse-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 rbd-mirror-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 rbd-nbd-12.2.10+git.1549630712.bb089269ea-21.1 as a component of openSUSE Leap 42.3 It was found Ceph versions before 13.2.4 that authenticated ceph users with read only permissions could steal dm-crypt encryption keys used in ceph disk encryption. CVE-2018-14662 openSUSE Leap 42.3:ceph-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-base-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-common-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-fuse-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-mds-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-mgr-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-mon-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-osd-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-radosgw-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-resource-agents-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-test-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:libcephfs-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:libcephfs2-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librados-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librados2-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:libradosstriper-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:libradosstriper1-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librbd-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librbd1-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librgw-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librgw2-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python-ceph-compat-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python-cephfs-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python-rados-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python-rbd-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python-rgw-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python3-ceph-argparse-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python3-cephfs-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python3-rados-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python3-rbd-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python3-rgw-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:rados-objclass-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:rbd-fuse-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:rbd-mirror-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:rbd-nbd-12.2.10+git.1549630712.bb089269ea-21.1 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-03/msg00016.html https://www.suse.com/security/cve/CVE-2018-14662.html CVE-2018-14662 https://bugzilla.suse.com/1111177 SUSE Bug 1111177 https://bugzilla.suse.com/1114710 SUSE Bug 1114710 It was found in Ceph versions before 13.2.4 that authenticated ceph RGW users can cause a denial of service against OMAPs holding bucket indices. CVE-2018-16846 openSUSE Leap 42.3:ceph-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-base-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-common-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-fuse-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-mds-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-mgr-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-mon-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-osd-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-radosgw-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-resource-agents-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-test-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:libcephfs-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:libcephfs2-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librados-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librados2-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:libradosstriper-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:libradosstriper1-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librbd-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librbd1-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librgw-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librgw2-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python-ceph-compat-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python-cephfs-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python-rados-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python-rbd-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python-rgw-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python3-ceph-argparse-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python3-cephfs-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python3-rados-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python3-rbd-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python3-rgw-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:rados-objclass-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:rbd-fuse-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:rbd-mirror-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:rbd-nbd-12.2.10+git.1549630712.bb089269ea-21.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-03/msg00016.html https://www.suse.com/security/cve/CVE-2018-16846.html CVE-2018-16846 https://bugzilla.suse.com/1114710 SUSE Bug 1114710 Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable. CVE-2018-16889 openSUSE Leap 42.3:ceph-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-base-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-common-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-fuse-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-mds-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-mgr-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-mon-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-osd-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-radosgw-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-resource-agents-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:ceph-test-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:libcephfs-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:libcephfs2-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librados-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librados2-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:libradosstriper-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:libradosstriper1-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librbd-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librbd1-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librgw-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:librgw2-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python-ceph-compat-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python-cephfs-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python-rados-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python-rbd-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python-rgw-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python3-ceph-argparse-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python3-cephfs-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python3-rados-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python3-rbd-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:python3-rgw-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:rados-objclass-devel-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:rbd-fuse-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:rbd-mirror-12.2.10+git.1549630712.bb089269ea-21.1 openSUSE Leap 42.3:rbd-nbd-12.2.10+git.1549630712.bb089269ea-21.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-03/msg00016.html https://www.suse.com/security/cve/CVE-2018-16889.html CVE-2018-16889 https://bugzilla.suse.com/1121567 SUSE Bug 1121567