-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1494
         Moderate: Red Hat Ceph Storage 3.2 security, bug fix, and
                            enhancement update
                                1 May 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat Ceph Storage
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-19039  

Reference:         ESB-2019.1257

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2019:0911

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Ceph Storage 3.2 security, bug fix, and enhancement update
Advisory ID:       RHSA-2019:0911-01
Product:           Red Hat Ceph Storage
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:0911
Issue date:        2019-04-30
CVE Names:         CVE-2018-19039 
=====================================================================

1. Summary:

An update is now available for Red Hat Ceph Storage 3.2.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Ceph Storage 3.2 MON - ppc64le, x86_64
Red Hat Ceph Storage 3.2 OSD - ppc64le, x86_64
Red Hat Ceph Storage 3.2 Tools - noarch, ppc64le, x86_64

3. Description:

Red Hat Ceph Storage is a scalable, open, software-defined storage platform
that combines the most stable version of the Ceph storage system with a
Ceph management platform, deployment utilities, and support services.

Security Fix(es):

* grafana: File exfiltration (CVE-2018-19039)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es) and Enhancement(s)

For detailed information on changes in this release, see the Red Hat Ceph
Storage 3.2 Release Notes available at:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3.2/html
/release_notes/index

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1506782 - osd_scrub_auto_repair not working as expected
1540881 - [CEE/SD] monitor_interface with "-" in the name fails with  "msg": "'dict object' has no attribute u'ansible_bond-monitor-interface'"
1593110 - Ceph mgr daemon crashing after starting balancer module in automatic mode
1600138 - [Bluestore]: one of the osds flapped multiple times with 1525: FAILED assert(0 == "bluefs enospc")
1636251 - ceph-keys fails if RHEL is configured in FIPS mode
1638092 - Default crush rule is not enforced
1639833 - [RFE] Enabling CRUSH device classes should not incur data movement in the cluster
1648168 - ceph-validate : devices are not validated in non-collocated and lvm_batch scenario
1649697 - CVE-2018-19039 grafana: File exfiltration
1653307 - [ceph-ansible] - lvms not removed while purging cluster
1656935 - ceph-ansible: purge-cluster.yml fails when initiated second time
1660962 - rgw does not support delimiter as a string it only supports a single character [consulting]
1664869 - [RFE] Support configuring multiple RGW endpoints in ceph-ansible for RGW multisite
1666407 - MDS may hang at startup if PurgeQueue metadata objects are damaged
1666408 - ceph-fuse may miss reconnect during MDS switch
1666409 - MDS should allow configuration of heartbeat timeout
1668050 - [RFE] RGW OPA authorization tech preview
1668362 - Verify PG recovery control / 3 line items from BB spreadsheet
1669901 - [RFE] Implement mechanism and command to change/reset bucket objects owner / RGW bucket chown
1670165 - Bucket lifecycle: bucket is not getting added to lc list when`'NoncurrentVersionExpiration': {'NoncurrentDays': 2}` is set
1670321 - [GSS] Downloads are corrupted when using RGW with civetweb as frontend
1670663 - [Ceph-Ansible][ceph-containers] Add new OSD node to the existing ceph cluster is failing with '--limit osds' option
1672333 - Optimize MDS stale cap revoke behavior
1672878 - [Ceph-Ansible][ceph-containers] Missing permission for MDS in client.admin
1673687 - Failure creating ceph.conf for mon - No first item, sequence was empty.
1674549 - [cee/sd][ceph-mgr] luminous: deadlock in standby ceph-mgr daemons
1678470 - BlueStore OSD crashes in _do_read - BlueStore::_do_read
1679263 - radosgw-admin bucket limit check stuck generating high read ops with > 999 buckets per user [Consulting]
1680171 - containerized radosgw requires higher --cpu-quota as default
1683997 - permissions in /var/lib/ceph/mon aren't set properly
1684146 - Ability to start ceph daemons with numactl
1684283 - Ceph Containers SSL support - Daemons like RGW when using rgw-multisite causing an issue in communication and sync stuck
1684289 - Testing RGW Multi-site SSL support
1684435 - Bucket lifecycle: Current version of the object does not get deleted for Tag based filters.
1684642 - [RFE] rgw-multisite: add perf counters to data sync
1685733 - MDS may abort when handling deleted file
1685735 - Monitors will assign standby-replay to degraded ranks
1687038 - os/filestore: ceph_abort() on fsync(2) or fdatasync(2) failure
1687039 - osd/PG.cc: account for missing set irrespective of last_complete
1687041 - mon/OSDMonitor: do not populate void pg_temp into nextmap
1687567 - rgw: use of PK11_ImportSymKey implies non-FIPS-compliant key management workflow (blocks FIPS)
1687828 - [cee/sd][ceph-ansible] rolling-update.yml does not restart nvme osds running in containers
1688330 - Request for backport for fixed issue https://tracker.ceph.com/issues/21533
1688378 - ops waiting for resharding to complete may not be able to complete when resharding does complete
1688541 - command `radosgw-admin bi put` not rightly set the mtime
1688869 - rgw: Lifecyle: handle resharded buckets
1689266 - rgw: unordered bucket listing markers do not handle adorned object names correctly
1689410 - s3cmd info not working on Ceph 3.2 (cors policies) giving 500 (Internal Server Error)
1690941 - Some multipart uploads with SSE-C are corrupted
1692555 - 'radosgw-admin sync status' does not show timestamps for master zone
1693445 - rgw-multisite sync stuck recovering shard in already deleted versioned bucket
1695174 - rgw: fix eval bucket policies and perms permissions for non-existent objects
1699478 - rgw-multisite: log trimming does not make progress unless zones 'sync_from_all'
1701970 - Inefficient unordered bucket listing
1702311 - [cee/sd][ceph-ansible] shink-osd.yml is failing due to missing osd_fsid in " ceph --cluster ceph osd find 0" output

6. Package List:

Red Hat Ceph Storage 3.2 MON:

Source:
ceph-12.2.8-128.el7cp.src.rpm

ppc64le:
ceph-base-12.2.8-128.el7cp.ppc64le.rpm
ceph-common-12.2.8-128.el7cp.ppc64le.rpm
ceph-debuginfo-12.2.8-128.el7cp.ppc64le.rpm
ceph-mgr-12.2.8-128.el7cp.ppc64le.rpm
ceph-mon-12.2.8-128.el7cp.ppc64le.rpm
ceph-selinux-12.2.8-128.el7cp.ppc64le.rpm
libcephfs-devel-12.2.8-128.el7cp.ppc64le.rpm
libcephfs2-12.2.8-128.el7cp.ppc64le.rpm
librados-devel-12.2.8-128.el7cp.ppc64le.rpm
librados2-12.2.8-128.el7cp.ppc64le.rpm
libradosstriper1-12.2.8-128.el7cp.ppc64le.rpm
librbd-devel-12.2.8-128.el7cp.ppc64le.rpm
librbd1-12.2.8-128.el7cp.ppc64le.rpm
librgw-devel-12.2.8-128.el7cp.ppc64le.rpm
librgw2-12.2.8-128.el7cp.ppc64le.rpm
python-cephfs-12.2.8-128.el7cp.ppc64le.rpm
python-rados-12.2.8-128.el7cp.ppc64le.rpm
python-rbd-12.2.8-128.el7cp.ppc64le.rpm
python-rgw-12.2.8-128.el7cp.ppc64le.rpm

x86_64:
ceph-base-12.2.8-128.el7cp.x86_64.rpm
ceph-common-12.2.8-128.el7cp.x86_64.rpm
ceph-debuginfo-12.2.8-128.el7cp.x86_64.rpm
ceph-mgr-12.2.8-128.el7cp.x86_64.rpm
ceph-mon-12.2.8-128.el7cp.x86_64.rpm
ceph-selinux-12.2.8-128.el7cp.x86_64.rpm
ceph-test-12.2.8-128.el7cp.x86_64.rpm
libcephfs-devel-12.2.8-128.el7cp.x86_64.rpm
libcephfs2-12.2.8-128.el7cp.x86_64.rpm
librados-devel-12.2.8-128.el7cp.x86_64.rpm
librados2-12.2.8-128.el7cp.x86_64.rpm
libradosstriper1-12.2.8-128.el7cp.x86_64.rpm
librbd-devel-12.2.8-128.el7cp.x86_64.rpm
librbd1-12.2.8-128.el7cp.x86_64.rpm
librgw-devel-12.2.8-128.el7cp.x86_64.rpm
librgw2-12.2.8-128.el7cp.x86_64.rpm
python-cephfs-12.2.8-128.el7cp.x86_64.rpm
python-rados-12.2.8-128.el7cp.x86_64.rpm
python-rbd-12.2.8-128.el7cp.x86_64.rpm
python-rgw-12.2.8-128.el7cp.x86_64.rpm

Red Hat Ceph Storage 3.2 OSD:

Source:
ceph-12.2.8-128.el7cp.src.rpm

ppc64le:
ceph-base-12.2.8-128.el7cp.ppc64le.rpm
ceph-common-12.2.8-128.el7cp.ppc64le.rpm
ceph-debuginfo-12.2.8-128.el7cp.ppc64le.rpm
ceph-osd-12.2.8-128.el7cp.ppc64le.rpm
ceph-selinux-12.2.8-128.el7cp.ppc64le.rpm
libcephfs-devel-12.2.8-128.el7cp.ppc64le.rpm
libcephfs2-12.2.8-128.el7cp.ppc64le.rpm
librados-devel-12.2.8-128.el7cp.ppc64le.rpm
librados2-12.2.8-128.el7cp.ppc64le.rpm
libradosstriper1-12.2.8-128.el7cp.ppc64le.rpm
librbd-devel-12.2.8-128.el7cp.ppc64le.rpm
librbd1-12.2.8-128.el7cp.ppc64le.rpm
librgw-devel-12.2.8-128.el7cp.ppc64le.rpm
librgw2-12.2.8-128.el7cp.ppc64le.rpm
python-cephfs-12.2.8-128.el7cp.ppc64le.rpm
python-rados-12.2.8-128.el7cp.ppc64le.rpm
python-rbd-12.2.8-128.el7cp.ppc64le.rpm
python-rgw-12.2.8-128.el7cp.ppc64le.rpm

x86_64:
ceph-base-12.2.8-128.el7cp.x86_64.rpm
ceph-common-12.2.8-128.el7cp.x86_64.rpm
ceph-debuginfo-12.2.8-128.el7cp.x86_64.rpm
ceph-osd-12.2.8-128.el7cp.x86_64.rpm
ceph-selinux-12.2.8-128.el7cp.x86_64.rpm
ceph-test-12.2.8-128.el7cp.x86_64.rpm
libcephfs-devel-12.2.8-128.el7cp.x86_64.rpm
libcephfs2-12.2.8-128.el7cp.x86_64.rpm
librados-devel-12.2.8-128.el7cp.x86_64.rpm
librados2-12.2.8-128.el7cp.x86_64.rpm
libradosstriper1-12.2.8-128.el7cp.x86_64.rpm
librbd-devel-12.2.8-128.el7cp.x86_64.rpm
librbd1-12.2.8-128.el7cp.x86_64.rpm
librgw-devel-12.2.8-128.el7cp.x86_64.rpm
librgw2-12.2.8-128.el7cp.x86_64.rpm
python-cephfs-12.2.8-128.el7cp.x86_64.rpm
python-rados-12.2.8-128.el7cp.x86_64.rpm
python-rbd-12.2.8-128.el7cp.x86_64.rpm
python-rgw-12.2.8-128.el7cp.x86_64.rpm

Red Hat Ceph Storage 3.2 Tools:

Source:
ceph-12.2.8-128.el7cp.src.rpm
ceph-ansible-3.2.15-1.el7cp.src.rpm
grafana-5.2.4-2.el7cp.src.rpm

noarch:
ceph-ansible-3.2.15-1.el7cp.noarch.rpm

ppc64le:
ceph-base-12.2.8-128.el7cp.ppc64le.rpm
ceph-common-12.2.8-128.el7cp.ppc64le.rpm
ceph-debuginfo-12.2.8-128.el7cp.ppc64le.rpm
ceph-fuse-12.2.8-128.el7cp.ppc64le.rpm
ceph-mds-12.2.8-128.el7cp.ppc64le.rpm
ceph-radosgw-12.2.8-128.el7cp.ppc64le.rpm
ceph-selinux-12.2.8-128.el7cp.ppc64le.rpm
libcephfs-devel-12.2.8-128.el7cp.ppc64le.rpm
libcephfs2-12.2.8-128.el7cp.ppc64le.rpm
librados-devel-12.2.8-128.el7cp.ppc64le.rpm
librados2-12.2.8-128.el7cp.ppc64le.rpm
libradosstriper1-12.2.8-128.el7cp.ppc64le.rpm
librbd-devel-12.2.8-128.el7cp.ppc64le.rpm
librbd1-12.2.8-128.el7cp.ppc64le.rpm
librgw-devel-12.2.8-128.el7cp.ppc64le.rpm
librgw2-12.2.8-128.el7cp.ppc64le.rpm
python-cephfs-12.2.8-128.el7cp.ppc64le.rpm
python-rados-12.2.8-128.el7cp.ppc64le.rpm
python-rbd-12.2.8-128.el7cp.ppc64le.rpm
python-rgw-12.2.8-128.el7cp.ppc64le.rpm
rbd-mirror-12.2.8-128.el7cp.ppc64le.rpm

x86_64:
ceph-base-12.2.8-128.el7cp.x86_64.rpm
ceph-common-12.2.8-128.el7cp.x86_64.rpm
ceph-debuginfo-12.2.8-128.el7cp.x86_64.rpm
ceph-fuse-12.2.8-128.el7cp.x86_64.rpm
ceph-mds-12.2.8-128.el7cp.x86_64.rpm
ceph-radosgw-12.2.8-128.el7cp.x86_64.rpm
ceph-selinux-12.2.8-128.el7cp.x86_64.rpm
grafana-5.2.4-2.el7cp.x86_64.rpm
libcephfs-devel-12.2.8-128.el7cp.x86_64.rpm
libcephfs2-12.2.8-128.el7cp.x86_64.rpm
librados-devel-12.2.8-128.el7cp.x86_64.rpm
librados2-12.2.8-128.el7cp.x86_64.rpm
libradosstriper1-12.2.8-128.el7cp.x86_64.rpm
librbd-devel-12.2.8-128.el7cp.x86_64.rpm
librbd1-12.2.8-128.el7cp.x86_64.rpm
librgw-devel-12.2.8-128.el7cp.x86_64.rpm
librgw2-12.2.8-128.el7cp.x86_64.rpm
python-cephfs-12.2.8-128.el7cp.x86_64.rpm
python-rados-12.2.8-128.el7cp.x86_64.rpm
python-rbd-12.2.8-128.el7cp.x86_64.rpm
python-rgw-12.2.8-128.el7cp.x86_64.rpm
rbd-mirror-12.2.8-128.el7cp.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-19039
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3.2/html/release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXMhwvNzjgjWX9erEAQiwhQ//SVOoOCYRrruTi62M+bR1loq2c0MEV7Ob
8gtRWVr1ojuoX1zkeOfCXUoiHIbxUgCjBCxs9QGSuhaI+IwaXVrXjkg9jfzJGmcP
s8T0ueoaDPYymPUHmPQ9OQ33TW6DwH+VKVj6TD1WuIHXByafGyaS2BRnQS87xmz8
BDozP11kM0U5CLokss+nZaIJ+xmWBoKypcHxbWrj9uS5uQIKY/wk6mjLb+w29sS4
UVD8gHyS9++gcFvyOpZ89Y2xaVbmp9paya9Yd2WWKILKT8p0qNuN+pi6YEQ7231m
s4jFgFF6d4BvBcH9KTuWCthVHgq6moCbm4+Rfakc8RBm82bcaDHcC4Uukj4K9JCH
J9mwiMINFKF5BLUQlmTyrFPF7o6boHGqisUTbP9B7J6o1MBixNsDMNoTgZMPhQLL
kWOMJbu67axB9IpEsO4emNj29+fQtvL68HVEQUmwOnBpnRR1WYa8mkApPmgLdbI2
ndptApCCdpKwO5FwOCgP0bQ8yG1tlS3/LN0O0Qr07esayGykIZPwI1m7z0R4JYyB
vVOmn5/vnNSl2gQjJtwXEEqdWph/+iNFjUd9EzifeTJonvAdfCYr9YzkTl0L2TM7
sF3b51bXX2dbQww1dbsQYGrMJ6w+ZN91QeaquHi/TqgU9GbHFkMRscb0mKvOUkrh
8I3/VlPfwK0=
=UJED
- -----END PGP SIGNATURE-----

- --
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXMktD2aOgq3Tt24GAQj15Q/+LRs5Snjiqc6sZyUDwethfkU9a7f7D2NK
0dNkiiz9fBO3wMtC7EkGburVfw6qRIGiw5NoLNQEeRmzDlmWmH2lRHzQOlOD2NHx
U2yWKC5obSTwfRsp0x5KRUV3M6UNaC5OfYwSDR+ofOCL8ppuTU2dUxid5uvClbcd
8Loo2uysLKjaADLFO4+hoCk7q+wxJSI2ddV25MOEO99nKeJSC27b6PcUfG+fkjbE
/sQQNJPRucs551y7wyl7lISyqA5UvG98I++l+IlPoHLw+TsPtEREWEzOAmJf3ENF
04PLxgg8udNiY4sN6fRxIaTeEANdpKXpdnn1w47tmUmlDk6qIyGOiLWxYDTpot9e
Wc/dJsPfcQybUvAJMmdvOvJo/I+HhOHjR8t4yJKFKEsiIublbbxu1HE+IE2+KzWA
O0RofuVPnQUv5gBD1hBH0rqywvM5gToT28z9kmJxxdomc8FPLQex4BiAmYx2TYkG
uBY03KbLyY1j4aAOOdMiOuOwGoBXalVN9yYgjrtbNqBCDGDRTHn0U2DrgtdAPCnd
mnyo6bZao04faG3nGW28mEfxlZ4ElIZQNGFK9weGrgC+KXmsOH5iC6zrjmQauM4K
HS3lPYMZrIFa0trSnWpdlL+VQOodF+j4AJceUzt73ZGrKAfhLVr8USdc//GJEpTH
beyOY8iI4Kg=
=M/Hi
-----END PGP SIGNATURE-----