-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Ceph Storage security, bug fix, and enhancement update Advisory ID: RHSA-2019:4353-01 Product: Red Hat Ceph Storage Advisory URL: https://access.redhat.com/errata/RHSA-2019:4353 Issue date: 2019-12-19 CVE Names: CVE-2019-19337 ===================================================================== 1. Summary: An update is now available for Red Hat Ceph Storage 3.3 that runs on Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Ceph Storage 3.3 MON - ppc64le, x86_64 Red Hat Ceph Storage 3.3 OSD - ppc64le, x86_64 Red Hat Ceph Storage 3.3 Tools - noarch, ppc64le, x86_64 3. Description: Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. Security Fix(es): * ceph: denial of service in RGW daemon (CVE-2019-19337) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) and Enhancement(s): For detailed information on changes in this release, see the Red Hat Ceph Storage 3.3 Release Notes available at: https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3.3/html - -single/release_notes/index 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1552210 - [ceph-ansible] [ceph-container] : failed to add new mgr with '--limit' option - trying to copy mgr keyring without generating 1569689 - MDS rolling-upgrade process needs to be changed to follow new recommendations 1603551 - OSP13 deploy fails pg count exceeds max 1616159 - [ceph-ansible] [ceph-container] : switch from rpm to containerized - OSDs not coming up after the switch saying encrypted device still in use 1622729 - remove warnings for unsupported variables 1623580 - [RFE] Prevent customers from installing an OSD device on the same disk as the OS 1638904 - lv-create.yml/lv-teardown.yml should fail if lv_vars.yaml has not been edited 1640525 - [Ceph-Ansible] Missing fourth and fifth scenarios in osds.yml.sample 1644611 - [RFE] Listing ceph-disk’s OSDs 1646456 - [ceph-ansible] - ubuntu - playbook must fail if debian rhcs packages are not installed 1654790 - ceph-validate : No clear error when osd_scenario is not set 1664112 - Cache size is not created correctly in a hyperconverged installation when using the is_hci flag 1665877 - RBD mirroring configuration issue with ceph-ansible 1734513 - all users has access to read ceph manager client keyring files 1744529 - fetching config overrides can result in crash due to unsafe observer calls 1749097 - ceph-ansible filestore fails to start containerized OSD when using block device like /dev/loop3 1749124 - Invalid bucket added to reshard list cannot be removed 1749489 - [RFE] Support use of SSE-S3 headers in RGW with AES256 server side default encryption 1749874 - [RHCS 3][RFE] Adding Placement Group id in Large omap log message 1750115 - When listing of bucket entries, entries following an entry for which check_disk_state() = -ENOENT may not get listed 1752163 - [RFE] tools/rados: allow list objects in a specific pg in a pool 1753942 - [GSS] cephmetrics grafana dashboard do not show disk IOPS/Throughput in RHCS 3.3 1754432 - [cee/sd][ceph-ansible] when running playbook to push new ceph.conf: ansible-playbook site.yml --tags='ceph_update_config' playbook fails on "The conditional check 'osd_socket_stat.rc == 0' failed" (for mon_socket_stat too) 1757298 - [RGW]: Bucket rename creates a duplicate entry in bucket list 1757400 - please backport speed improvement in chown command in switch to containers 1765230 - [ceph-ansible]Ceph-mds -allow multimds task is failing 1765652 - upgrade is broken when no mds is present in inventory 1769760 - [ceph-ansible] - ceph_repository_type being validated unnecessarily in containerized scenario 1777050 - STS crashes with uncaught exception when session token is not base64 encoded 1779158 - [RGW]: Put object ACL fails due to missing content length 1780688 - /etc/systemd/system/ceph-osd@.service contain the wrong OSD container names 1781170 - CVE-2019-19337 ceph: denial of service in RGW daemon 6. Package List: Red Hat Ceph Storage 3.3 MON: Source: ceph-12.2.12-84.el7cp.src.rpm ppc64le: ceph-base-12.2.12-84.el7cp.ppc64le.rpm ceph-common-12.2.12-84.el7cp.ppc64le.rpm ceph-debuginfo-12.2.12-84.el7cp.ppc64le.rpm ceph-mgr-12.2.12-84.el7cp.ppc64le.rpm ceph-mon-12.2.12-84.el7cp.ppc64le.rpm ceph-selinux-12.2.12-84.el7cp.ppc64le.rpm libcephfs-devel-12.2.12-84.el7cp.ppc64le.rpm libcephfs2-12.2.12-84.el7cp.ppc64le.rpm librados-devel-12.2.12-84.el7cp.ppc64le.rpm librados2-12.2.12-84.el7cp.ppc64le.rpm libradosstriper1-12.2.12-84.el7cp.ppc64le.rpm librbd-devel-12.2.12-84.el7cp.ppc64le.rpm librbd1-12.2.12-84.el7cp.ppc64le.rpm librgw-devel-12.2.12-84.el7cp.ppc64le.rpm librgw2-12.2.12-84.el7cp.ppc64le.rpm python-cephfs-12.2.12-84.el7cp.ppc64le.rpm python-rados-12.2.12-84.el7cp.ppc64le.rpm python-rbd-12.2.12-84.el7cp.ppc64le.rpm python-rgw-12.2.12-84.el7cp.ppc64le.rpm x86_64: ceph-base-12.2.12-84.el7cp.x86_64.rpm ceph-common-12.2.12-84.el7cp.x86_64.rpm ceph-debuginfo-12.2.12-84.el7cp.x86_64.rpm ceph-mgr-12.2.12-84.el7cp.x86_64.rpm ceph-mon-12.2.12-84.el7cp.x86_64.rpm ceph-selinux-12.2.12-84.el7cp.x86_64.rpm ceph-test-12.2.12-84.el7cp.x86_64.rpm libcephfs-devel-12.2.12-84.el7cp.x86_64.rpm libcephfs2-12.2.12-84.el7cp.x86_64.rpm librados-devel-12.2.12-84.el7cp.x86_64.rpm librados2-12.2.12-84.el7cp.x86_64.rpm libradosstriper1-12.2.12-84.el7cp.x86_64.rpm librbd-devel-12.2.12-84.el7cp.x86_64.rpm librbd1-12.2.12-84.el7cp.x86_64.rpm librgw-devel-12.2.12-84.el7cp.x86_64.rpm librgw2-12.2.12-84.el7cp.x86_64.rpm python-cephfs-12.2.12-84.el7cp.x86_64.rpm python-rados-12.2.12-84.el7cp.x86_64.rpm python-rbd-12.2.12-84.el7cp.x86_64.rpm python-rgw-12.2.12-84.el7cp.x86_64.rpm Red Hat Ceph Storage 3.3 OSD: Source: ceph-12.2.12-84.el7cp.src.rpm ppc64le: ceph-base-12.2.12-84.el7cp.ppc64le.rpm ceph-common-12.2.12-84.el7cp.ppc64le.rpm ceph-debuginfo-12.2.12-84.el7cp.ppc64le.rpm ceph-osd-12.2.12-84.el7cp.ppc64le.rpm ceph-selinux-12.2.12-84.el7cp.ppc64le.rpm libcephfs-devel-12.2.12-84.el7cp.ppc64le.rpm libcephfs2-12.2.12-84.el7cp.ppc64le.rpm librados-devel-12.2.12-84.el7cp.ppc64le.rpm librados2-12.2.12-84.el7cp.ppc64le.rpm libradosstriper1-12.2.12-84.el7cp.ppc64le.rpm librbd-devel-12.2.12-84.el7cp.ppc64le.rpm librbd1-12.2.12-84.el7cp.ppc64le.rpm librgw-devel-12.2.12-84.el7cp.ppc64le.rpm librgw2-12.2.12-84.el7cp.ppc64le.rpm python-cephfs-12.2.12-84.el7cp.ppc64le.rpm python-rados-12.2.12-84.el7cp.ppc64le.rpm python-rbd-12.2.12-84.el7cp.ppc64le.rpm python-rgw-12.2.12-84.el7cp.ppc64le.rpm x86_64: ceph-base-12.2.12-84.el7cp.x86_64.rpm ceph-common-12.2.12-84.el7cp.x86_64.rpm ceph-debuginfo-12.2.12-84.el7cp.x86_64.rpm ceph-osd-12.2.12-84.el7cp.x86_64.rpm ceph-selinux-12.2.12-84.el7cp.x86_64.rpm ceph-test-12.2.12-84.el7cp.x86_64.rpm libcephfs-devel-12.2.12-84.el7cp.x86_64.rpm libcephfs2-12.2.12-84.el7cp.x86_64.rpm librados-devel-12.2.12-84.el7cp.x86_64.rpm librados2-12.2.12-84.el7cp.x86_64.rpm libradosstriper1-12.2.12-84.el7cp.x86_64.rpm librbd-devel-12.2.12-84.el7cp.x86_64.rpm librbd1-12.2.12-84.el7cp.x86_64.rpm librgw-devel-12.2.12-84.el7cp.x86_64.rpm librgw2-12.2.12-84.el7cp.x86_64.rpm python-cephfs-12.2.12-84.el7cp.x86_64.rpm python-rados-12.2.12-84.el7cp.x86_64.rpm python-rbd-12.2.12-84.el7cp.x86_64.rpm python-rgw-12.2.12-84.el7cp.x86_64.rpm Red Hat Ceph Storage 3.3 Tools: Source: ceph-12.2.12-84.el7cp.src.rpm ceph-ansible-3.2.38-1.el7cp.src.rpm cephmetrics-2.0.9-1.el7cp.src.rpm noarch: ceph-ansible-3.2.38-1.el7cp.noarch.rpm ppc64le: ceph-base-12.2.12-84.el7cp.ppc64le.rpm ceph-common-12.2.12-84.el7cp.ppc64le.rpm ceph-debuginfo-12.2.12-84.el7cp.ppc64le.rpm ceph-fuse-12.2.12-84.el7cp.ppc64le.rpm ceph-mds-12.2.12-84.el7cp.ppc64le.rpm ceph-radosgw-12.2.12-84.el7cp.ppc64le.rpm ceph-selinux-12.2.12-84.el7cp.ppc64le.rpm libcephfs-devel-12.2.12-84.el7cp.ppc64le.rpm libcephfs2-12.2.12-84.el7cp.ppc64le.rpm librados-devel-12.2.12-84.el7cp.ppc64le.rpm librados2-12.2.12-84.el7cp.ppc64le.rpm libradosstriper1-12.2.12-84.el7cp.ppc64le.rpm librbd-devel-12.2.12-84.el7cp.ppc64le.rpm librbd1-12.2.12-84.el7cp.ppc64le.rpm librgw-devel-12.2.12-84.el7cp.ppc64le.rpm librgw2-12.2.12-84.el7cp.ppc64le.rpm python-cephfs-12.2.12-84.el7cp.ppc64le.rpm python-rados-12.2.12-84.el7cp.ppc64le.rpm python-rbd-12.2.12-84.el7cp.ppc64le.rpm python-rgw-12.2.12-84.el7cp.ppc64le.rpm rbd-mirror-12.2.12-84.el7cp.ppc64le.rpm x86_64: ceph-base-12.2.12-84.el7cp.x86_64.rpm ceph-common-12.2.12-84.el7cp.x86_64.rpm ceph-debuginfo-12.2.12-84.el7cp.x86_64.rpm ceph-fuse-12.2.12-84.el7cp.x86_64.rpm ceph-mds-12.2.12-84.el7cp.x86_64.rpm ceph-radosgw-12.2.12-84.el7cp.x86_64.rpm ceph-selinux-12.2.12-84.el7cp.x86_64.rpm cephmetrics-ansible-2.0.9-1.el7cp.x86_64.rpm libcephfs-devel-12.2.12-84.el7cp.x86_64.rpm libcephfs2-12.2.12-84.el7cp.x86_64.rpm librados-devel-12.2.12-84.el7cp.x86_64.rpm librados2-12.2.12-84.el7cp.x86_64.rpm libradosstriper1-12.2.12-84.el7cp.x86_64.rpm librbd-devel-12.2.12-84.el7cp.x86_64.rpm librbd1-12.2.12-84.el7cp.x86_64.rpm librgw-devel-12.2.12-84.el7cp.x86_64.rpm librgw2-12.2.12-84.el7cp.x86_64.rpm python-cephfs-12.2.12-84.el7cp.x86_64.rpm python-rados-12.2.12-84.el7cp.x86_64.rpm python-rbd-12.2.12-84.el7cp.x86_64.rpm python-rgw-12.2.12-84.el7cp.x86_64.rpm rbd-mirror-12.2.12-84.el7cp.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-19337 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXfu6bNzjgjWX9erEAQgNGhAAoOJN8Eon62ognwnqihKdhvmZyVUr/c0p 1oQ86iPhdGZFq5bMz0HK/WcrTwMmMqR1RSuEOAc7eWMttBvgGQTLlFK62toZH1Oj fa0EPUqG0rn0+2ckPunbP+Xp18nyvPS02QCNZcMkVTJDUCkETJAGamWQWK0sHmDN 5RDPHb1J+6bH/ykpRohHM3PTZFL7v4izxyAZarJ1+Rvtqty2ZniUMTjQvKBuj9us vYywD4vpadociA0KLjQeHSuatuFqG1uxqeJVJj7SJ3FQrDZG6ck521MWplMSyYvw XPgtoLEN0I2cdNzapQuwjEvgwjSrbTfOI4j7lbT4cXPJ/7BeHI4MeB40miHWAUn+ aoi6A0qgtpx/QpdAQdIZQFM9IsJ9pyhrFFMCUyWOwbrzD6+1B2L4gs+LlmRqYF/J G2PVRMq5tzQTBJSo7UlIJykP7yUzTpKBbURWo+IB765+GarZen0OG4R4Me8z5U2l bS+5IVhkFvIQuZElI2LONFor3+pbQpx2rCCJohgpdelJ/A2TK96NiRwxhszelU27 N1hchXLTeIOK0SPPqigHKcLaDNJ8OOpBSdDeK1RqHRJKbSss+brp8ekIcscLJaWd t/hd2kIornjXg4HuJ+vLoHEqFkOt/aBfcqt1AyAkvzALhmOmVSNQ2KhkTDtb8FIK nxj4PAFfhG4= =2cj5 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce