Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2039 Moderate: ceph-deploy security update 7 August 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ceph-deploy Publisher: Red Hat Operating System: Ubuntu Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2015-4053 CVE-2015-3010 Reference: ESB-2015.1525 Original Bulletin: https://access.redhat.com/errata/RHSA-2015:1579 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ceph-deploy security update Advisory ID: RHSA-2015:1579-01 Product: Red Hat Ceph Storage Advisory URL: https://access.redhat.com/errata/RHSA-2015:1579 Issue date: 2015-08-07 CVE Names: CVE-2015-3010 CVE-2015-4053 ===================================================================== 1. Summary: An updated ceph-deploy package that fixes two security issues is now available in Red Hat Ceph Storage for Ubuntu 12.04 and Ubuntu 14.04. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat Ceph Storage is a massively scalable, open, software-defined storage platform that combines the most stable version of Ceph with a Ceph management platform, deployment tools, and support services. It was discovered that ceph-deploy, a utility for deploying Red Hat Ceph Storage, would create the keyring file with world readable permissions, which could possibly allow a local user to obtain authentication credentials from the keyring file. (CVE-2015-3010, CVE-2015-4053) ceph has been upgraded from v0.80.8.1 to v0.80.8.2. This upgrade fixes the following bugs: - - - .rgw pool contains extra objects (rhbz #1212524) - - - rgw bucket/object owner override when setting acls (rhbz #1214051) - - - librbd: aio calls may block (rhbz #1225172) ice_setup has been upgraded from v0.3.0-2 to v0.3.2. This upgrade fixes a bug where ice_setup would crash if the "setuptools" Python package was not already installed on the Calamari admin node. (rhbz #1212045) All ceph-deploy users are advised to upgrade to this updated package, which contains backported patches to correct these issues. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Refer to Knowledge Base article https://access.redhat.com/articles/1554343 for download link and signing information. 4. Bugs fixed (https://bugzilla.redhat.com/): 1210705 - CVE-2015-3010 ceph-deploy: keyring permissions are world readable in ~ceph 1224129 - CVE-2015-4053 ceph-deploy admin command copies keyring file to /etc/ceph which is world readable 5. References: https://access.redhat.com/security/cve/CVE-2015-3010 https://access.redhat.com/security/cve/CVE-2015-4053 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/articles/1554343 https://access.redhat.com/articles/1372203 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVxAx6XlSAg2UNWIIRAif0AKC5mXm6brcEHOliaLOQ7bLIjB56YACdGKF9 Zaire6nRS3/EFLND0quOp3o= =Akux - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVcQs+n6ZAP0PgtI9AQKmBRAApxoMeP1coIo34sGIHWgH4JHb/gveYmZw jfKbI+x5vCWTWjJU1myRcOqR3A4jS6KZveSakxMUYrHNx7RiMwkWKwmgS/729Xq9 VmmAnWbQ+wZMyplAKk1QKKDRg8WVqvVywi0bShnOvB4p5VbPOTaQCM+XqIvDhNhh xfJ0WYOPeFdTFBG3SNgb/4mK+aGG0kbBWaBTZuy1Kc+vNJQwSgffhFXFjyYn+cuR KJYZTzN8EX+RdppkoU857VBafV4P84bwxRW2qVuaHgR/S+5W42D/DJYHnOKEvPqc 4l5NoDQVZruWEOaMv9mcOPBLtJvZmo1VinhfdZHyd1h5bpyMV8jfipHkC2oxZFaQ iJkMARpXoSu91Dn+yywNn1Q3o0OGmrLRYyDXtGYJbUnqFs7S+wteklG5BU8KkfBv g6R26FoM3LQRDaQ0URx69OsAxAxE45Ll7ukPhvZ50OL4SqwDPwt4tdLzetdB66wJ HOOpOg/X/7gj44pC5ebhFRgh9HWefCqHqYGRyAXSVTTH4+NF+bSJGfIeZ/xlEiIX VZQqsCjceJEg+hrYW5Kh0ApXKmORb9l/EDUUHvB3OYWJ3C4ZlsfDwitREZn4Xrrt Ge8NLjuegu4P2sCqkpIxCayAsZ3QfdscRR4YlGpexsR6NUo1+xQsVzNqgLO5eshn 052/vTcwnl4= =AcYF -----END PGP SIGNATURE-----