Описание
Security update for ceph
This update for ceph fixes the following issues:
- ceph was updated to to 15.2.9
- cephadm: fix 'inspect' and 'pull' (bsc#1182766)
- CVE-2020-27839: mgr/dashboard: Use secure cookies to store JWT Token (bsc#1179997)
- CVE-2020-25678: Do not add sensitive information in Ceph log files (bsc#1178905)
- mgr/orchestrator: Sort 'ceph orch device ls' by host (bsc#1172926)
- mgr/dashboard: enable different URL for users of browser to Grafana (bsc#1176390, bsc#1176679)
- mgr/cephadm: lock multithreaded access to OSDRemovalQueue (bsc#1176489)
- cephadm: command_unit: call systemctl with verbose=True (bsc#1176828)
- cephadm: silence 'Failed to evict container' log msg (bsc#1177360)
- mgr/cephadm: upgrade: fail gracefully, if daemon redeploy fails (bsc#1177857)
- rgw: cls/user: set from_index for reset stats calls (bsc#1178837)
- mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860)
- cephadm: reference the last local image by digest (bsc#1178932, bsc#1179569)
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Список пакетов
openSUSE Leap 15.2
ceph-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-base-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-common-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-fuse-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-grafana-dashboards-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-immutable-object-cache-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-mds-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-mgr-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-mgr-cephadm-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-mgr-dashboard-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-mgr-diskprediction-cloud-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-mgr-diskprediction-local-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-mgr-k8sevents-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-mgr-modules-core-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-mgr-rook-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-mon-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-osd-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-prometheus-alerts-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-radosgw-15.2.9.83+g4275378de0-lp152.2.12.1
ceph-test-15.2.9.83+g4275378de0-lp152.2.12.1
cephadm-15.2.9.83+g4275378de0-lp152.2.12.1
cephfs-shell-15.2.9.83+g4275378de0-lp152.2.12.1
libcephfs-devel-15.2.9.83+g4275378de0-lp152.2.12.1
libcephfs2-15.2.9.83+g4275378de0-lp152.2.12.1
librados-devel-15.2.9.83+g4275378de0-lp152.2.12.1
librados2-15.2.9.83+g4275378de0-lp152.2.12.1
libradospp-devel-15.2.9.83+g4275378de0-lp152.2.12.1
librbd-devel-15.2.9.83+g4275378de0-lp152.2.12.1
librbd1-15.2.9.83+g4275378de0-lp152.2.12.1
librgw-devel-15.2.9.83+g4275378de0-lp152.2.12.1
librgw2-15.2.9.83+g4275378de0-lp152.2.12.1
python3-ceph-argparse-15.2.9.83+g4275378de0-lp152.2.12.1
python3-ceph-common-15.2.9.83+g4275378de0-lp152.2.12.1
python3-cephfs-15.2.9.83+g4275378de0-lp152.2.12.1
python3-rados-15.2.9.83+g4275378de0-lp152.2.12.1
python3-rbd-15.2.9.83+g4275378de0-lp152.2.12.1
python3-rgw-15.2.9.83+g4275378de0-lp152.2.12.1
rados-objclass-devel-15.2.9.83+g4275378de0-lp152.2.12.1
rbd-fuse-15.2.9.83+g4275378de0-lp152.2.12.1
rbd-mirror-15.2.9.83+g4275378de0-lp152.2.12.1
rbd-nbd-15.2.9.83+g4275378de0-lp152.2.12.1
Ссылки
- E-Mail link for openSUSE-SU-2021:0544-1
- SUSE Security Ratings
- SUSE Bug 1172926
- SUSE Bug 1176390
- SUSE Bug 1176489
- SUSE Bug 1176679
- SUSE Bug 1176828
- SUSE Bug 1177360
- SUSE Bug 1177857
- SUSE Bug 1178837
- SUSE Bug 1178860
- SUSE Bug 1178905
- SUSE Bug 1178932
- SUSE Bug 1179569
- SUSE Bug 1179997
- SUSE Bug 1182766
- SUSE CVE CVE-2020-25678 page
- SUSE CVE CVE-2020-27839 page
Описание
A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.
Затронутые продукты
openSUSE Leap 15.2:ceph-15.2.9.83+g4275378de0-lp152.2.12.1
openSUSE Leap 15.2:ceph-base-15.2.9.83+g4275378de0-lp152.2.12.1
openSUSE Leap 15.2:ceph-common-15.2.9.83+g4275378de0-lp152.2.12.1
openSUSE Leap 15.2:ceph-fuse-15.2.9.83+g4275378de0-lp152.2.12.1
Ссылки
- CVE-2020-25678
- SUSE Bug 1178905
Описание
A flaw was found in ceph-dashboard. The JSON Web Token (JWT) used for user authentication is stored by the frontend application in the browser's localStorage which is potentially vulnerable to attackers via XSS attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
Затронутые продукты
openSUSE Leap 15.2:ceph-15.2.9.83+g4275378de0-lp152.2.12.1
openSUSE Leap 15.2:ceph-base-15.2.9.83+g4275378de0-lp152.2.12.1
openSUSE Leap 15.2:ceph-common-15.2.9.83+g4275378de0-lp152.2.12.1
openSUSE Leap 15.2:ceph-fuse-15.2.9.83+g4275378de0-lp152.2.12.1
Ссылки
- CVE-2020-27839
- SUSE Bug 1179997