-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2315
                         Security update for ceph
                              13 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ceph
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Denial of Service              -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote with User Interaction
                   Unauthorised Access            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-10861 CVE-2018-7262 CVE-2018-1129
                   CVE-2018-1128  

Reference:         ESB-2018.2169
                   ESB-2018.2030
                   ESB-2018.0762

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2018/suse-su-20182299-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

Security update for ceph

SUSE Security Update:	Security update for ceph
Announcement ID: 	SUSE-SU-2018:2299-1
Rating: 		important
References: 		#1072512 #1080112 #1081379 #1086340 #1096748 #1099162

Affected Products: 	

SUSE Enterprise Storage 4

An update that solves four vulnerabilities and has two fixes is now available.
Description:

This update for ceph fixes the following issues:

Security issues fixed:

- - CVE-2018-10861: Fix ceph-mon authorization on OSD pool ops (bsc#1099162).
- - CVE-2018-1128: Fix cephx signature check bypass (bsc#1096748).
- - CVE-2018-1129: Fix cephx protocol vulnerability to replay attack
(bsc#1096748).
- - CVE-2018-7262: Fix malformed http headers that can crash rgw
(bsc#1081379).

Bug fixes:

- - bsc#1072512: multipart uploads are broken if the bucket has been
resharded
- - bsc#1080112: rgw: user stats increased after bucket reshard
- - bsc#1086340: SES5: XFS metadata corruption on rbd-nbd mapped image with
journaling feature enabled
Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation 
methods like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

    SUSE Enterprise Storage 4:
    zypper in -t patch SUSE-Storage-4-2018-1537=1

Package List:

    SUSE Enterprise Storage 4 (aarch64 x86_64):
        ceph-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-base-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-base-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-common-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-common-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-debugsource-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-fuse-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-fuse-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-mds-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-mds-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-mon-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-mon-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-osd-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-osd-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-radosgw-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-radosgw-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-test-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-test-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        ceph-test-debugsource-10.2.11+git.1531487710.3a12911a2e-12.14.2
        libcephfs1-10.2.11+git.1531487710.3a12911a2e-12.14.2
        libcephfs1-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        librados2-10.2.11+git.1531487710.3a12911a2e-12.14.2
        librados2-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        libradosstriper1-10.2.11+git.1531487710.3a12911a2e-12.14.2
        libradosstriper1-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        librbd1-10.2.11+git.1531487710.3a12911a2e-12.14.2
        librbd1-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        librgw2-10.2.11+git.1531487710.3a12911a2e-12.14.2
        librgw2-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        python-ceph-compat-10.2.11+git.1531487710.3a12911a2e-12.14.2
        python-cephfs-10.2.11+git.1531487710.3a12911a2e-12.14.2
        python-cephfs-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        python-rados-10.2.11+git.1531487710.3a12911a2e-12.14.2
        python-rados-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        python-rbd-10.2.11+git.1531487710.3a12911a2e-12.14.2
        python-rbd-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        rbd-fuse-10.2.11+git.1531487710.3a12911a2e-12.14.2
        rbd-fuse-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        rbd-mirror-10.2.11+git.1531487710.3a12911a2e-12.14.2
        rbd-mirror-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2
        rbd-nbd-10.2.11+git.1531487710.3a12911a2e-12.14.2
        rbd-nbd-debuginfo-10.2.11+git.1531487710.3a12911a2e-12.14.2


References:

    https://www.suse.com/security/cve/CVE-2018-10861.html
    https://www.suse.com/security/cve/CVE-2018-1128.html
    https://www.suse.com/security/cve/CVE-2018-1129.html
    https://www.suse.com/security/cve/CVE-2018-7262.html
    https://bugzilla.suse.com/1072512
    https://bugzilla.suse.com/1080112
    https://bugzilla.suse.com/1081379
    https://bugzilla.suse.com/1086340
    https://bugzilla.suse.com/1096748
    https://bugzilla.suse.com/1099162

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW3D96WaOgq3Tt24GAQifBBAAgioauhDPcdSs6GbGZUyMzuEC91tAS7Mk
UhWMvyNxgv4oa2GvBaV2ZQAiAYJkP0/S34xx3BWzftE8YchN29fFNwvZ5RdeNAnG
Efn8VSlfJAU8l51zHA/ntapYo5SQcZ7DIjxbYXE0JADbTOZhD7qg2FBrGKdQp2I7
2c54wIHm8w6uROu/fHssIsBODpCqojzYR+ahvK40hG6W0guCP9pk95aFrhnOL4lR
aJTFtDgxrHiqj6BZFh/VVXYLqxXvOtoGmvUP8YsERYHIt7GeDRaPqZHTC2OQ5a5A
G8PmJcl2N5lQcbAqHAmYQKu5/jOlrWULJh64XhGuq8oA/3tNkwq9M6wllrbhDr2S
QqfUIG1yq/iHh2cXKmdKhfcwnF07/8JXs2rZXPUvxfUhuBj55vVuSAdV8/1/jK6G
3uKSfGt+q3EGUOHtwZV67g5sDQSia5ib7jEY9rCb4/p4wUqviM/ZO/v8TEsWHf6A
ScyF8sHjLOpKR0Rrucn+lQ/7glCNKRwW8+Ojcu9aoOCY3YC+x+SEseftoqGwsMJJ
tJHQ/aR4a7FKqkpJRpCWMiYEa5l504sgFb7DHgYh57Z4PUla1VqsAihjnfIdQAU1
NMMENsJ5XXzM6kSgR1HzHEsqoQoBhJTW6sp41wSCXWsWrJXK3wJtXLBEevX8LCYn
vutmdypnyLI=
=sqz+
-----END PGP SIGNATURE-----