Red Hat Security Advisory 2016-2815-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. The following packages have been upgraded to a newer upstream version: ceph, ceph-deploy, calamari-server, nfs-ganesha, ceph-iscsi-config, libntirpc, ceph-iscsi-tools. Multiple security issues have been addressed.
ef405f0bd7b17b62af6a472bc30f36f4a65f15e773f951d2de8b2b16aaddd1c8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Ceph Storage security, bug fix, and enhancement update
Advisory ID: RHSA-2016:2815-01
Product: Red Hat Ceph Storage
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2815.html
Issue date: 2016-11-22
CVE Names: CVE-2016-8626
=====================================================================
1. Summary:
An update is now available for Red Hat Ceph Storage 2.1 that fix one
security issue, multiple bugs, and add various enhancements. This erratum
is applicable for Red Hat Ceph Storage that runs on RHEL 7.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Ceph Storage MON 2 - x86_64
Red Hat Ceph Storage OSD 2 - x86_64
Red Hat Ceph Storage Tools 2 - noarch, x86_64
3. Description:
Red Hat Ceph Storage is a scalable, open, software-defined storage platform
that combines the most stable version of the Ceph storage system with a
Ceph management platform, deployment utilities, and support services.
The following packages have been upgraded to a newer upstream version: ceph
(10.2.3), ceph-deploy (1.5.36), calamari-server (1.4.9), nfs-ganesha
(2.4.0), ceph-iscsi-config (1.5), libntirpc (1.4.1), ceph-iscsi-tools
(1.1). (BZ#1340004, BZ#1349999)
Security Fix(es):
* A flaw was found in the way Ceph Object Gateway handles POST object
requests. An authenticated attacker could launch a denial of service attack
by sending null or specially crafted POST object requests. (CVE-2016-8626)
Bug Fix(es) and Enhancement(s):
For detailed information on changes in this release, see the Red Hat Ceph
Storage 2.1 Release Notes available at:
https://access.redhat.com/documentation/en/red-hat-ceph-storage/2.1/single/
release-notes/
All users of Red Hat Ceph Storage are advised to upgrade to these updated
packages.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1241725 - No or not correct input validation in "ceph" cli
1265792 - [RFE] Static website hosting
1300855 - [RFE] Support for PKIZ and other token formats with Keystone integration
1314582 - RGW: S3 request-payer
1314584 - RGW: indexless buckets
1318409 - RGW deletion is sequential and slow on large buckets of objects
1326740 - ceph-disk@dev-sd<>2.service is created on all OSD nodes, and its in failed state
1331770 - reweight-by-utilization accepts 0 and -ve values for 'max_change_osds'
1332513 - [RFE] rados bench : add cleanup message with time it has taken to delete the objects when cleanup start for written objects
1333398 - [RH Ceph 2] Do a proper SELinux relabel on rhel 7.3+
1339256 - [RFE] rgw : support size suffixes for --max-size in radosgw-admin command
1340004 - Seeing lots of "heartbeat_map" messages when stopping an MDS Server
1340772 - Seeing Error Message "librbd::SnapshotRenameRequest: encountered error: (17) File exists"
1346946 - Seeing Error message in rbd_mirror status on Master Node
1347137 - Calamari cli endpoint api returns errors for rados df
1347174 - Object Map and Fast Diff Flag is getting invalid, while doing multiple times enable/disable of Journaling on an Image
1347205 - Even after disabling Journal, the image is showing up in Slave Node
1347664 - Seeing a continuous error messge "librbd::ObjectWatcher: rbd_mirroring: handle_rewatch: error encountered during re-watch: (108) Cannot send after transport endpoint shutdown"
1348928 - Seeing a Crash at "librbd/operation/Request.cc: 92: FAILED assert(m_op_tid != 0)", while creating snapshot on Slave Node
1348940 - Restart of RBD daemon is again initiating full Sync/Copy of an Image
1349116 - RBD with object-map enabled results in poor performance with discard
1349332 - Clone creation is successful in Slave Node
1349955 - After demotion/promotion, the image is again syncing from the beginning
1349999 - [RH Ceph 2.0]: ceph-deploy handle package split for ceph-mon and ceph-osd
1350522 - S3 object versioning fails when applied on a non-master zone
1351484 - ceph-disk should timeout when a lock cannot be acquired
1352888 - [Upgrade]: on Ceph upgrade from 1.3.2 to 2.0 the RGW default zone setup is not working
1354459 - 2.0: rbd commands via API: few commands hang when used from browser
1356931 - Hitting a Crash while deleting the Mirrored Images from Master Node
1358024 - non-contiguous rgw_write/NFS WRITE operations no blocked
1359712 - A master zone switch requires radosgw to be restarted
1360849 - ceph-fuse fails to mount when entry exists in /etc/fstab
1364352 - Add zone rename to radosgw-admin(8)
1364353 - Increase log level for some of the messages that occur in rgw admin command.
1365648 - [rbd-mirror] - Unable to write data on the promoted image from secondary rbd host
1367182 - [RFE] Ansible iSCSI userland
1367442 - [RHCS-2.0] ceph-objectstore-tool: ability to perform filestore splits offline : new command apply-layout-settings
1372346 - RGW underscore issue redux
1374224 - [RFE] RHCS-2 add a tool to rebuild mon store from OSD
1377774 - Potential non-null terminated block name prefix string from API
1378675 - Assign LOG_INFO priority to syslog calls
1379835 - [RFE] [rbd-mirror] - optionally unregister "laggy" journal clients
1380601 - [RFE] [rhcs-2.y] RGW resharding tool
1381687 - RFE: rgw ldap does not support custom ldap search filters
1381692 - rgw_lookup can not exact match file name
1381694 - rgw ldap: unhandled exception on invalid token input
1382044 - Cannot disable journaling or remove non-mirrored, "non-primary" image
1383631 - Old radosgw-admin corrupt radosgw configuration for an upgrade radosgw
1383728 - [RHCS 2] RGW goes into loop causing 100% CPU utilization
1384002 - mon crash when MDSs run with standby_for_rank set
1384008 - ceph-fuse crashes intermittently when quotas are in use
1384230 - iSCSI performance is slow on secondary (non-optimised) paths during failover
1384748 - iSCSI failover time is too long when a gateway is shutdown
1385729 - nfs-ganesha 2.4.0 and libntirpc 1.4.1
1386910 - ceph-iscsi-config should make an ALUA group per iSCSI tpg created
1386939 - [ceph-iscsi-config] should allow lun definitions to be fqdn names as well as shortnames
1387332 - [rhcs-2.y] rgw: crash when client post object with null conditions
1389193 - CVE-2016-8626 Ceph: RGW Denial of Service by sending null or specially crafted POST object requests
1393665 - Multisite error handling leads to segfaults
6. Package List:
Red Hat Ceph Storage Tools 2:
Source:
ceph-10.2.3-13.el7cp.src.rpm
ceph-deploy-1.5.36-20.el7cp.src.rpm
ceph-iscsi-config-1.5-1.el7cp.src.rpm
ceph-iscsi-tools-1.1-1.el7cp.src.rpm
libntirpc-1.4.1-1.el7.src.rpm
nfs-ganesha-2.4.0-3.el7cp.src.rpm
noarch:
ceph-deploy-1.5.36-20.el7cp.noarch.rpm
ceph-iscsi-config-1.5-1.el7cp.noarch.rpm
ceph-iscsi-tools-1.1-1.el7cp.noarch.rpm
x86_64:
ceph-base-10.2.3-13.el7cp.x86_64.rpm
ceph-common-10.2.3-13.el7cp.x86_64.rpm
ceph-fuse-10.2.3-13.el7cp.x86_64.rpm
ceph-mds-10.2.3-13.el7cp.x86_64.rpm
ceph-radosgw-10.2.3-13.el7cp.x86_64.rpm
ceph-selinux-10.2.3-13.el7cp.x86_64.rpm
libcephfs1-10.2.3-13.el7cp.x86_64.rpm
libcephfs1-devel-10.2.3-13.el7cp.x86_64.rpm
libntirpc-1.4.1-1.el7.x86_64.rpm
libntirpc-debuginfo-1.4.1-1.el7.x86_64.rpm
librados2-10.2.3-13.el7cp.x86_64.rpm
librados2-devel-10.2.3-13.el7cp.x86_64.rpm
librbd1-10.2.3-13.el7cp.x86_64.rpm
librbd1-devel-10.2.3-13.el7cp.x86_64.rpm
librgw2-10.2.3-13.el7cp.x86_64.rpm
librgw2-devel-10.2.3-13.el7cp.x86_64.rpm
nfs-ganesha-2.4.0-3.el7cp.x86_64.rpm
nfs-ganesha-debuginfo-2.4.0-3.el7cp.x86_64.rpm
nfs-ganesha-rgw-2.4.0-3.el7cp.x86_64.rpm
python-cephfs-10.2.3-13.el7cp.x86_64.rpm
python-rados-10.2.3-13.el7cp.x86_64.rpm
python-rbd-10.2.3-13.el7cp.x86_64.rpm
rbd-mirror-10.2.3-13.el7cp.x86_64.rpm
Red Hat Ceph Storage Tools 2:
Source:
ceph-10.2.3-13.el7cp.src.rpm
ceph-deploy-1.5.36-20.el7cp.src.rpm
ceph-iscsi-config-1.5-1.el7cp.src.rpm
ceph-iscsi-tools-1.1-1.el7cp.src.rpm
libntirpc-1.4.1-1.el7.src.rpm
nfs-ganesha-2.4.0-3.el7cp.src.rpm
noarch:
ceph-deploy-1.5.36-20.el7cp.noarch.rpm
ceph-iscsi-config-1.5-1.el7cp.noarch.rpm
ceph-iscsi-tools-1.1-1.el7cp.noarch.rpm
x86_64:
ceph-base-10.2.3-13.el7cp.x86_64.rpm
ceph-common-10.2.3-13.el7cp.x86_64.rpm
ceph-fuse-10.2.3-13.el7cp.x86_64.rpm
ceph-mds-10.2.3-13.el7cp.x86_64.rpm
ceph-radosgw-10.2.3-13.el7cp.x86_64.rpm
ceph-selinux-10.2.3-13.el7cp.x86_64.rpm
libcephfs1-10.2.3-13.el7cp.x86_64.rpm
libcephfs1-devel-10.2.3-13.el7cp.x86_64.rpm
libntirpc-1.4.1-1.el7.x86_64.rpm
libntirpc-debuginfo-1.4.1-1.el7.x86_64.rpm
librados2-10.2.3-13.el7cp.x86_64.rpm
librados2-devel-10.2.3-13.el7cp.x86_64.rpm
librbd1-10.2.3-13.el7cp.x86_64.rpm
librbd1-devel-10.2.3-13.el7cp.x86_64.rpm
librgw2-10.2.3-13.el7cp.x86_64.rpm
librgw2-devel-10.2.3-13.el7cp.x86_64.rpm
nfs-ganesha-2.4.0-3.el7cp.x86_64.rpm
nfs-ganesha-debuginfo-2.4.0-3.el7cp.x86_64.rpm
nfs-ganesha-rgw-2.4.0-3.el7cp.x86_64.rpm
python-cephfs-10.2.3-13.el7cp.x86_64.rpm
python-rados-10.2.3-13.el7cp.x86_64.rpm
python-rbd-10.2.3-13.el7cp.x86_64.rpm
rbd-mirror-10.2.3-13.el7cp.x86_64.rpm
Red Hat Ceph Storage MON 2:
Source:
calamari-server-1.4.9-1.el7cp.src.rpm
ceph-10.2.3-13.el7cp.src.rpm
x86_64:
calamari-server-1.4.9-1.el7cp.x86_64.rpm
ceph-base-10.2.3-13.el7cp.x86_64.rpm
ceph-common-10.2.3-13.el7cp.x86_64.rpm
ceph-mon-10.2.3-13.el7cp.x86_64.rpm
ceph-selinux-10.2.3-13.el7cp.x86_64.rpm
ceph-test-10.2.3-13.el7cp.x86_64.rpm
libcephfs1-10.2.3-13.el7cp.x86_64.rpm
libcephfs1-devel-10.2.3-13.el7cp.x86_64.rpm
librados2-10.2.3-13.el7cp.x86_64.rpm
librados2-devel-10.2.3-13.el7cp.x86_64.rpm
librbd1-10.2.3-13.el7cp.x86_64.rpm
librbd1-devel-10.2.3-13.el7cp.x86_64.rpm
librgw2-10.2.3-13.el7cp.x86_64.rpm
librgw2-devel-10.2.3-13.el7cp.x86_64.rpm
python-cephfs-10.2.3-13.el7cp.x86_64.rpm
python-rados-10.2.3-13.el7cp.x86_64.rpm
python-rbd-10.2.3-13.el7cp.x86_64.rpm
Red Hat Ceph Storage OSD 2:
Source:
ceph-10.2.3-13.el7cp.src.rpm
x86_64:
ceph-base-10.2.3-13.el7cp.x86_64.rpm
ceph-common-10.2.3-13.el7cp.x86_64.rpm
ceph-osd-10.2.3-13.el7cp.x86_64.rpm
ceph-selinux-10.2.3-13.el7cp.x86_64.rpm
ceph-test-10.2.3-13.el7cp.x86_64.rpm
libcephfs1-10.2.3-13.el7cp.x86_64.rpm
libcephfs1-devel-10.2.3-13.el7cp.x86_64.rpm
librados2-10.2.3-13.el7cp.x86_64.rpm
librados2-devel-10.2.3-13.el7cp.x86_64.rpm
librbd1-10.2.3-13.el7cp.x86_64.rpm
librbd1-devel-10.2.3-13.el7cp.x86_64.rpm
librgw2-10.2.3-13.el7cp.x86_64.rpm
librgw2-devel-10.2.3-13.el7cp.x86_64.rpm
python-cephfs-10.2.3-13.el7cp.x86_64.rpm
python-rados-10.2.3-13.el7cp.x86_64.rpm
python-rbd-10.2.3-13.el7cp.x86_64.rpm
Red Hat Ceph Storage Tools 2:
Source:
ceph-10.2.3-13.el7cp.src.rpm
ceph-deploy-1.5.36-20.el7cp.src.rpm
ceph-iscsi-config-1.5-1.el7cp.src.rpm
ceph-iscsi-tools-1.1-1.el7cp.src.rpm
libntirpc-1.4.1-1.el7.src.rpm
nfs-ganesha-2.4.0-3.el7cp.src.rpm
noarch:
ceph-deploy-1.5.36-20.el7cp.noarch.rpm
ceph-iscsi-config-1.5-1.el7cp.noarch.rpm
ceph-iscsi-tools-1.1-1.el7cp.noarch.rpm
x86_64:
ceph-base-10.2.3-13.el7cp.x86_64.rpm
ceph-common-10.2.3-13.el7cp.x86_64.rpm
ceph-fuse-10.2.3-13.el7cp.x86_64.rpm
ceph-mds-10.2.3-13.el7cp.x86_64.rpm
ceph-radosgw-10.2.3-13.el7cp.x86_64.rpm
ceph-selinux-10.2.3-13.el7cp.x86_64.rpm
libcephfs1-10.2.3-13.el7cp.x86_64.rpm
libcephfs1-devel-10.2.3-13.el7cp.x86_64.rpm
libntirpc-1.4.1-1.el7.x86_64.rpm
libntirpc-debuginfo-1.4.1-1.el7.x86_64.rpm
librados2-10.2.3-13.el7cp.x86_64.rpm
librados2-devel-10.2.3-13.el7cp.x86_64.rpm
librbd1-10.2.3-13.el7cp.x86_64.rpm
librbd1-devel-10.2.3-13.el7cp.x86_64.rpm
librgw2-10.2.3-13.el7cp.x86_64.rpm
librgw2-devel-10.2.3-13.el7cp.x86_64.rpm
nfs-ganesha-2.4.0-3.el7cp.x86_64.rpm
nfs-ganesha-debuginfo-2.4.0-3.el7cp.x86_64.rpm
nfs-ganesha-rgw-2.4.0-3.el7cp.x86_64.rpm
python-cephfs-10.2.3-13.el7cp.x86_64.rpm
python-rados-10.2.3-13.el7cp.x86_64.rpm
python-rbd-10.2.3-13.el7cp.x86_64.rpm
rbd-mirror-10.2.3-13.el7cp.x86_64.rpm
Red Hat Ceph Storage Tools 2:
Source:
ceph-10.2.3-13.el7cp.src.rpm
ceph-deploy-1.5.36-20.el7cp.src.rpm
ceph-iscsi-config-1.5-1.el7cp.src.rpm
ceph-iscsi-tools-1.1-1.el7cp.src.rpm
libntirpc-1.4.1-1.el7.src.rpm
nfs-ganesha-2.4.0-3.el7cp.src.rpm
noarch:
ceph-deploy-1.5.36-20.el7cp.noarch.rpm
ceph-iscsi-config-1.5-1.el7cp.noarch.rpm
ceph-iscsi-tools-1.1-1.el7cp.noarch.rpm
x86_64:
ceph-base-10.2.3-13.el7cp.x86_64.rpm
ceph-common-10.2.3-13.el7cp.x86_64.rpm
ceph-fuse-10.2.3-13.el7cp.x86_64.rpm
ceph-mds-10.2.3-13.el7cp.x86_64.rpm
ceph-radosgw-10.2.3-13.el7cp.x86_64.rpm
ceph-selinux-10.2.3-13.el7cp.x86_64.rpm
libcephfs1-10.2.3-13.el7cp.x86_64.rpm
libcephfs1-devel-10.2.3-13.el7cp.x86_64.rpm
libntirpc-1.4.1-1.el7.x86_64.rpm
libntirpc-debuginfo-1.4.1-1.el7.x86_64.rpm
librados2-10.2.3-13.el7cp.x86_64.rpm
librados2-devel-10.2.3-13.el7cp.x86_64.rpm
librbd1-10.2.3-13.el7cp.x86_64.rpm
librbd1-devel-10.2.3-13.el7cp.x86_64.rpm
librgw2-10.2.3-13.el7cp.x86_64.rpm
librgw2-devel-10.2.3-13.el7cp.x86_64.rpm
nfs-ganesha-2.4.0-3.el7cp.x86_64.rpm
nfs-ganesha-debuginfo-2.4.0-3.el7cp.x86_64.rpm
nfs-ganesha-rgw-2.4.0-3.el7cp.x86_64.rpm
python-cephfs-10.2.3-13.el7cp.x86_64.rpm
python-rados-10.2.3-13.el7cp.x86_64.rpm
python-rbd-10.2.3-13.el7cp.x86_64.rpm
rbd-mirror-10.2.3-13.el7cp.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-8626
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFYNNK/XlSAg2UNWIIRAvdwAKCyxs2SmFa2hz/7ILaRnHoq3Q0DBQCdHkWG
vxpg0iAc7yFDwRdnRrU+jT0=
=M+Ab
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce