RedHat: RHSA-2019-0747:01 Moderate: Red Hat Ceph Storage 2.5 security and

    Date11 Apr 2019
    CategoryRed Hat
    3676
    Posted ByLinuxSecurity Advisories
    An update for ceph and grafana is now available for Red Hat Ceph Storage 2.5 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: Red Hat Ceph Storage 2.5 security and bug fix update
    Advisory ID:       RHSA-2019:0747-01
    Product:           Red Hat Ceph Storage
    Advisory URL:      https://access.redhat.com/errata/RHSA-2019:0747
    Issue date:        2019-04-11
    CVE Names:         CVE-2018-19039 
    =====================================================================
    
    1. Summary:
    
    An update for ceph and grafana is now available for Red Hat Ceph Storage
    2.5 for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security impact
    of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Relevant releases/architectures:
    
    Red Hat Ceph Storage 2.5 MON - x86_64
    Red Hat Ceph Storage 2.5 OSD - x86_64
    Red Hat Ceph Storage 2.5 Tools - x86_64
    
    3. Description:
    
    Red Hat Ceph Storage is a scalable, open, software-defined storage platform
    that combines the most stable version of the Ceph storage system with a
    Ceph management platform, deployment utilities, and support services.
    
    Security Fix(es):
    
    * grafana: File exfiltration (CVE-2018-19039)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    Bug Fix(es):
    
    * This issue was discovered with OpenStack Cinder Backup when
    'rados_connect_timeout' was set. Normally the timeout is not enabled. If
    the cluster was highly loaded the timeout could be reached, causing the
    segfault. With this update to Red Hat Ceph Storage, if the timeout is
    reached a segfault no longer occurs. (BZ#1655685)
    
    * With this release, you now have the ability to reset a user's statistics
    using the 'radosgw-admin' command. In previous versions, the user's
    recorded statistics diverged from the actual statistics. When using the
    '--reset-stats' option with the 'radosgw-admin' command, along with
    specifying the Ceph Object Gateway user, the stats will be recalculated.
    (BZ#1673217)
    
    * In the duplicate checking code an inconsistency was found that caused
    duplicate indices to be added, instead of trimming them. The duplicate
    checking code logic has been fixed, making adding and trimming duplicate
    indices consistent, which results in correctly trimming duplicate indices.
    (BZ#1676709)
    
    * Two bugs were found in the garbage collection list iteration logic. One
    of these bugs was a race condition when doing system restarts. These bugs
    were causing higher-than-expected workloads and stalling in garbage
    collection processing. Issues with list truncation and entry deletion were
    fixed, reducing the potential for garbage collection stalls and high-read
    I/O during garbage collection removal. (BZ#1680050)
    
    * Due to a bug in multi-site sync of versioning-suspended buckets, certain
    object versioning attributes were overwritten with incorrect values.
    Consequently, the objects failed to sync and attempted to retry endlessly,
    blocking further sync progress. With this update, the sync process no
    longer overwrites versioning attributes. In addition, any broken attributes
    are now detected and repaired. As a result, objects are synced correctly in
    versioning-suspended buckets. (BZ#1690927)
    
    * Previously, bucket indices could include "false entries" that did not
    represent actual objects and that resulted from a prior bug. Consequently,
    during the process of deleting such buckets, encountering a false entry
    caused the process to stop and return an error code. With this update, when
    a false entry is encountered, Ceph ignores it, and deleting buckets with
    false entries works as expected. (BZ#1690930)
    
    4. Solution:
    
    For details on how to apply this update, which includes the changes
    described in this advisory, refer to:
    
    https://access.redhat.com/articles/11258
    
    5. Bugs fixed (https://bugzilla.redhat.com/):
    
    1493597 - Performing a manila access-allow on an existing auth entry in Ceph corrupts the permissions.
    1565221 - "set_fact docker_exec_cmd" assumes there will be mons, but does not use the external list of mons if provided
    1649697 - CVE-2018-19039 grafana: File exfiltration
    1655685 - rbd_snap_list_end() segfaults if rbd_snap_list() fails
    1660611 - Intermittent S3 bucket list and swift container list are broken after upgrading to RHCS 2.5.z2 - 10.2.10-40.el7cp
    1676709 - ceph-osd continuous memory growth one of the daemons using 50G+ RSS
    1680050 - [RHCS 2.x] GC erratic performance, very slow deletion performance
    1690922 - RGW memory leak OOM in a multisite environment
    1690927 - multisite sync errors from operations on a versioning-suspended bucket
    1690930 - Customer cannot delete versioned bucket
    1690932 - rgw-multisite: bilog entries not getting trimmed in both sites
    1690934 - Fix issue with concurrent operations on versioned objects
    
    6. Package List:
    
    Red Hat Ceph Storage 2.5 Tools:
    
    Source:
    ceph-10.2.10-49.el7cp.src.rpm
    grafana-4.3.2-4.el7cp.src.rpm
    
    x86_64:
    ceph-base-10.2.10-49.el7cp.x86_64.rpm
    ceph-common-10.2.10-49.el7cp.x86_64.rpm
    ceph-debuginfo-10.2.10-49.el7cp.x86_64.rpm
    ceph-fuse-10.2.10-49.el7cp.x86_64.rpm
    ceph-mds-10.2.10-49.el7cp.x86_64.rpm
    ceph-radosgw-10.2.10-49.el7cp.x86_64.rpm
    ceph-selinux-10.2.10-49.el7cp.x86_64.rpm
    grafana-4.3.2-4.el7cp.x86_64.rpm
    libcephfs1-10.2.10-49.el7cp.x86_64.rpm
    libcephfs1-devel-10.2.10-49.el7cp.x86_64.rpm
    librados2-10.2.10-49.el7cp.x86_64.rpm
    librados2-devel-10.2.10-49.el7cp.x86_64.rpm
    librbd1-10.2.10-49.el7cp.x86_64.rpm
    librbd1-devel-10.2.10-49.el7cp.x86_64.rpm
    librgw2-10.2.10-49.el7cp.x86_64.rpm
    librgw2-devel-10.2.10-49.el7cp.x86_64.rpm
    python-cephfs-10.2.10-49.el7cp.x86_64.rpm
    python-rados-10.2.10-49.el7cp.x86_64.rpm
    python-rbd-10.2.10-49.el7cp.x86_64.rpm
    rbd-mirror-10.2.10-49.el7cp.x86_64.rpm
    
    Red Hat Ceph Storage 2.5 Tools:
    
    Source:
    ceph-10.2.10-49.el7cp.src.rpm
    grafana-4.3.2-4.el7cp.src.rpm
    
    x86_64:
    ceph-base-10.2.10-49.el7cp.x86_64.rpm
    ceph-common-10.2.10-49.el7cp.x86_64.rpm
    ceph-debuginfo-10.2.10-49.el7cp.x86_64.rpm
    ceph-fuse-10.2.10-49.el7cp.x86_64.rpm
    ceph-mds-10.2.10-49.el7cp.x86_64.rpm
    ceph-radosgw-10.2.10-49.el7cp.x86_64.rpm
    ceph-selinux-10.2.10-49.el7cp.x86_64.rpm
    grafana-4.3.2-4.el7cp.x86_64.rpm
    libcephfs1-10.2.10-49.el7cp.x86_64.rpm
    libcephfs1-devel-10.2.10-49.el7cp.x86_64.rpm
    librados2-10.2.10-49.el7cp.x86_64.rpm
    librados2-devel-10.2.10-49.el7cp.x86_64.rpm
    librbd1-10.2.10-49.el7cp.x86_64.rpm
    librbd1-devel-10.2.10-49.el7cp.x86_64.rpm
    librgw2-10.2.10-49.el7cp.x86_64.rpm
    librgw2-devel-10.2.10-49.el7cp.x86_64.rpm
    python-cephfs-10.2.10-49.el7cp.x86_64.rpm
    python-rados-10.2.10-49.el7cp.x86_64.rpm
    python-rbd-10.2.10-49.el7cp.x86_64.rpm
    rbd-mirror-10.2.10-49.el7cp.x86_64.rpm
    
    Red Hat Ceph Storage 2.5 MON:
    
    Source:
    ceph-10.2.10-49.el7cp.src.rpm
    
    x86_64:
    ceph-base-10.2.10-49.el7cp.x86_64.rpm
    ceph-common-10.2.10-49.el7cp.x86_64.rpm
    ceph-debuginfo-10.2.10-49.el7cp.x86_64.rpm
    ceph-mon-10.2.10-49.el7cp.x86_64.rpm
    ceph-selinux-10.2.10-49.el7cp.x86_64.rpm
    ceph-test-10.2.10-49.el7cp.x86_64.rpm
    libcephfs1-10.2.10-49.el7cp.x86_64.rpm
    libcephfs1-devel-10.2.10-49.el7cp.x86_64.rpm
    librados2-10.2.10-49.el7cp.x86_64.rpm
    librados2-devel-10.2.10-49.el7cp.x86_64.rpm
    librbd1-10.2.10-49.el7cp.x86_64.rpm
    librbd1-devel-10.2.10-49.el7cp.x86_64.rpm
    librgw2-10.2.10-49.el7cp.x86_64.rpm
    librgw2-devel-10.2.10-49.el7cp.x86_64.rpm
    python-cephfs-10.2.10-49.el7cp.x86_64.rpm
    python-rados-10.2.10-49.el7cp.x86_64.rpm
    python-rbd-10.2.10-49.el7cp.x86_64.rpm
    
    Red Hat Ceph Storage 2.5 OSD:
    
    Source:
    ceph-10.2.10-49.el7cp.src.rpm
    
    x86_64:
    ceph-base-10.2.10-49.el7cp.x86_64.rpm
    ceph-common-10.2.10-49.el7cp.x86_64.rpm
    ceph-debuginfo-10.2.10-49.el7cp.x86_64.rpm
    ceph-osd-10.2.10-49.el7cp.x86_64.rpm
    ceph-selinux-10.2.10-49.el7cp.x86_64.rpm
    ceph-test-10.2.10-49.el7cp.x86_64.rpm
    libcephfs1-10.2.10-49.el7cp.x86_64.rpm
    libcephfs1-devel-10.2.10-49.el7cp.x86_64.rpm
    librados2-10.2.10-49.el7cp.x86_64.rpm
    librados2-devel-10.2.10-49.el7cp.x86_64.rpm
    librbd1-10.2.10-49.el7cp.x86_64.rpm
    librbd1-devel-10.2.10-49.el7cp.x86_64.rpm
    librgw2-10.2.10-49.el7cp.x86_64.rpm
    librgw2-devel-10.2.10-49.el7cp.x86_64.rpm
    python-cephfs-10.2.10-49.el7cp.x86_64.rpm
    python-rados-10.2.10-49.el7cp.x86_64.rpm
    python-rbd-10.2.10-49.el7cp.x86_64.rpm
    
    Red Hat Ceph Storage 2.5 Tools:
    
    Source:
    ceph-10.2.10-49.el7cp.src.rpm
    grafana-4.3.2-4.el7cp.src.rpm
    
    x86_64:
    ceph-base-10.2.10-49.el7cp.x86_64.rpm
    ceph-common-10.2.10-49.el7cp.x86_64.rpm
    ceph-debuginfo-10.2.10-49.el7cp.x86_64.rpm
    ceph-fuse-10.2.10-49.el7cp.x86_64.rpm
    ceph-mds-10.2.10-49.el7cp.x86_64.rpm
    ceph-radosgw-10.2.10-49.el7cp.x86_64.rpm
    ceph-selinux-10.2.10-49.el7cp.x86_64.rpm
    grafana-4.3.2-4.el7cp.x86_64.rpm
    libcephfs1-10.2.10-49.el7cp.x86_64.rpm
    libcephfs1-devel-10.2.10-49.el7cp.x86_64.rpm
    librados2-10.2.10-49.el7cp.x86_64.rpm
    librados2-devel-10.2.10-49.el7cp.x86_64.rpm
    librbd1-10.2.10-49.el7cp.x86_64.rpm
    librbd1-devel-10.2.10-49.el7cp.x86_64.rpm
    librgw2-10.2.10-49.el7cp.x86_64.rpm
    librgw2-devel-10.2.10-49.el7cp.x86_64.rpm
    python-cephfs-10.2.10-49.el7cp.x86_64.rpm
    python-rados-10.2.10-49.el7cp.x86_64.rpm
    python-rbd-10.2.10-49.el7cp.x86_64.rpm
    rbd-mirror-10.2.10-49.el7cp.x86_64.rpm
    
    Red Hat Ceph Storage 2.5 Tools:
    
    Source:
    ceph-10.2.10-49.el7cp.src.rpm
    grafana-4.3.2-4.el7cp.src.rpm
    
    x86_64:
    ceph-base-10.2.10-49.el7cp.x86_64.rpm
    ceph-common-10.2.10-49.el7cp.x86_64.rpm
    ceph-debuginfo-10.2.10-49.el7cp.x86_64.rpm
    ceph-fuse-10.2.10-49.el7cp.x86_64.rpm
    ceph-mds-10.2.10-49.el7cp.x86_64.rpm
    ceph-radosgw-10.2.10-49.el7cp.x86_64.rpm
    ceph-selinux-10.2.10-49.el7cp.x86_64.rpm
    grafana-4.3.2-4.el7cp.x86_64.rpm
    libcephfs1-10.2.10-49.el7cp.x86_64.rpm
    libcephfs1-devel-10.2.10-49.el7cp.x86_64.rpm
    librados2-10.2.10-49.el7cp.x86_64.rpm
    librados2-devel-10.2.10-49.el7cp.x86_64.rpm
    librbd1-10.2.10-49.el7cp.x86_64.rpm
    librbd1-devel-10.2.10-49.el7cp.x86_64.rpm
    librgw2-10.2.10-49.el7cp.x86_64.rpm
    librgw2-devel-10.2.10-49.el7cp.x86_64.rpm
    python-cephfs-10.2.10-49.el7cp.x86_64.rpm
    python-rados-10.2.10-49.el7cp.x86_64.rpm
    python-rbd-10.2.10-49.el7cp.x86_64.rpm
    rbd-mirror-10.2.10-49.el7cp.x86_64.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/
    
    7. References:
    
    https://access.redhat.com/security/cve/CVE-2018-19039
    https://access.redhat.com/security/updates/classification/#moderate
    
    8. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2019 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXK9CXdzjgjWX9erEAQgXbBAAqONeXgzg3mqZia+jeh4VPidY6U/WX0pQ
    vYjkgrXizAGDVGRt4Zequ0mY7sgVd5Ntl8PXICSZZfzVQ5A3Uhx65n+zjbGdX8v3
    dlTrZSRZd20y+fdTW8ire3RvHDdV72rih3xgHlE0e24fO48J+oVIT7rCPRnRsWE6
    Q93YVaEGrMS7nQJMPR+D3Ts2TIoUXpfpa46VgoH/gHyzS/bKKBu6rJXbvXeaHPSF
    DXmNLoJQ33Ny2+MmAmVqwZ0hO5QvpECg5DnsTIOUtzffnZEl2jtMAHfUUlOOtYYk
    Y2RVOOHs1dhNzSN0PK2vvwILzNLYlYy+mSGQ3R5h8L9rSsmqhG9w7w8LYfqvzRes
    NMhYgbh7qhaowtOe8Q3JFEtEpYs/f43F847+LXKU6OKUT8Omu+nvq6jlgMy+C1M/
    x67C6sKe+0P4UhE5NYb2W/bCy36mZig7Lu/mVPC4LFUuawsl+cvLyGpGHgRaVIWF
    RqwcjU3RZplMWxq3mcOKJsitNVc3NmOi5TMWdQfI3FwY7/3ENjQLSLbjjOpYVFBm
    VqPTuQYT3ykwqMYdTZ3sOcY4F/uqLBXqBP/1XMdjddfUpApNlbYLT2n/69jFVRe/
    JhDFeaxNPZnWBW5624rIRvZ1cBEbJPioXPNOfb0E97JfhGqd9Fy130syoyQeLPFn
    9YCxcmXMBbU=
    =n6QH
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    Has your email account ever been pwned in a data breach?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    12
    radio
    [{"id":"53","title":"Yes","votes":"7","type":"x","order":"1","pct":87.5,"resources":[]},{"id":"54","title":"No","votes":"1","type":"x","order":"2","pct":12.5,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.