SUSE Security Update: Security update for ceph, deepsea
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:3257-1
Rating:             moderate
References:         #1151612 #1152100 #1155045 #1155262 #1156087 
                    #1156409 #1158257 #1159689 #1160626 #1161718 
                    #1162553 #1163119 #1164571 #1165713 #1165835 
                    #1165840 #1166297 #1166393 #1166624 #1166670 
                    #1166932 #1167477 #1168403 #1169134 #1169356 
                    #1170487 #1170938 #1171367 #1171921 #1171956 
                    #1172142 #1173339 #1174591 #1175061 #1175240 
                    #1175781 
Cross-References:   CVE-2020-10753
Affected Products:
                    SUSE Enterprise Storage 6
______________________________________________________________________________

   An update that solves one vulnerability and has 35 fixes is
   now available.

Description:

   This update for ceph, deepsea fixes the following issues:

   - Update to 14.2.13-398-gb6c514eec7:
     + Upstream 14.2.13 release see
       https://ceph.io/releases/v14-2-13-nautilus-released/
       * (bsc#1151612, bsc#1158257) ceph-volume: major batch refactor

   - Update to 14.2.12-436-g6feab505b7:
     + Upstream 14.2.12 release see
       https://ceph.io/releases/v14-2-12-nautilus-released/
       * (bsc#1169134) mgr/dashboard: document Prometheus' security model
       * (bsc#1170487) monclient: schedule first tick using
         mon_client_hunt_interval
       * (bsc#1174591) mgr/dashboard: Unable to edit iSCSI logged-in client
       * (bsc#1174591) mgr/dashboard: Allow editing iSCSI targets with
         initiators logged-in
       * (bsc#1175061) os/bluestore: dump onode that has too many spanning
         blobs
       * (bsc#1175240) pybind/mgr/restful: use dict.items() for py3 compatible
     + (bsc#1175781) ceph-volume: lvmcache: print help correctly
     + spec: move python-enum34 into rhel 7 conditional

   - Update to 14.2.11-394-g9cbbc473c0:
     + Upstream 14.2.11 release see
       https://ceph.io/releases/v14-2-11-nautilus-released/
       * mgr/progress: Skip pg_summary update if _events dict is empty
         (bsc#1167477) (bsc#1172142) (bsc#1171956)
       * mgr/dashboard: Allow to edit iSCSI target with active session
         (bsc#1173339)

   - Update to 14.2.10-392-gb3a13b81cb:
     + Upstream 14.2.10 release see
       https://ceph.io/releases/v14-2-10-nautilus-released/
       * mgr: Improve internal python to c++ interface (bsc#1167477)

   - Update to 14.2.9-970-ged84cae0c9:
     + rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader
       (bsc#1171921, CVE-2020-10753)

   - Update to 14.2.9-969-g9917342dc8d:
     * rebase on top of upstream nautilus, SHA1
       ccd9c04f88e53aef7e4f1068ce1221fa3b97450d
     * cmake: Improve test for 16-byte atomic support on IBM Z
     * (jsc#SES-680) monitoring: add details to Prometheus alerts
     * (bsc#1155045) mgr/dashboard: add debug mode, and accept expected
       exception when SSL handshaking
     * (bsc#1152100) monitoring: alert for prediction of disk and pool fill
       up broken
     * (bsc#1155262) mgr/dashboard: iSCSI targets not available if any
       gateway is down
     * (bsc#1159689) os/bluestore: more flexible DB volume space usage
     * (bsc#1156087) ceph-volume: make get_devices fs location independent
     * (bsc#1156409) monitoring: wait before firing osd full alert
     * (bsc#1160626) mgr/dashboard: Unable to remove an iSCSI gateway that is
       already in use
     * (bsc#1161718) mount.ceph: remove arbitrary limit on size of name=
       option
     * (bsc#1162553) ceph-volume: strip _dmcrypt suffix in simple scan json
       output
     * (bsc#1163119) mgr/dashboard: Not able to restrict bucket creation for
       new user
     * (bsc#1164571) mgr/dashboard: Prevent iSCSI target recreation when
       editing controls
     * (bsc#1165713) mgr/dashboard: Repair broken grafana panels
     * (bsc#1165835) rgw: get barbican secret key request maybe return error
       code
     * (bsc#1165840) rgw: making implicit_tenants backwards compatible
     * (bsc#1166297) mgr/dashboard: Repair broken grafana panels
     * (bsc#1166393) mgr/dashboard: KeyError on dashboard reload
     * (bsc#1166624) mgr/dashboard: Fix iSCSI's username and password
       validation
     * (bsc#1166670) monitoring: root volume full alert fires false positives
     * (bsc#1166932) mgr: synchronize ClusterState's health and mon_status
     * (bsc#1168403) mgr/dashboard: Add more debug information to Dashboard
       RGW backend
     * (bsc#1169356) rgw: reshard: skip stale bucket id entries from reshard
       queue
     * (bsc#1170938) mon/OSDMonitor: allow trimming maps even if osds are down
     * (bsc#1171367) Set OSD's bluefs-buffered-io param to false by default

   - Update to 14.2.13-398-gb6c514eec7:
     + Upstream 14.2.13 release see
       https://ceph.io/releases/v14-2-13-nautilus-released/
       * (bsc#1151612, bsc#1158257) ceph-volume: major batch refactor


   - Update to 14.2.12-436-g6feab505b7:
     + Upstream 14.2.12 release see
       https://ceph.io/releases/v14-2-12-nautilus-released/
       * (bsc#1169134) mgr/dashboard: document Prometheus' security model
       * (bsc#1170487) monclient: schedule first tick using
         mon_client_hunt_interval
       * (bsc#1174591) mgr/dashboard: Unable to edit iSCSI logged-in client
       * (bsc#1174591) mgr/dashboard: Allow editing iSCSI targets with
         initiators logged-in
       * (bsc#1175061) os/bluestore: dump onode that has too many spanning
         blobs
       * (bsc#1175240) pybind/mgr/restful: use dict.items() for py3 compatible
     + (bsc#1175781) ceph-volume: lvmcache: print help correctly
     + spec: move python-enum34 into rhel 7 conditional

   - Update to 14.2.11-394-g9cbbc473c0:
     + Upstream 14.2.11 release see
       https://ceph.io/releases/v14-2-11-nautilus-released/
       * mgr/progress: Skip pg_summary update if _events dict is empty
         (bsc#1167477) (bsc#1172142) (bsc#1171956)
       * mgr/dashboard: Allow to edit iSCSI target with active session
         (bsc#1173339)

   - Update to 14.2.10-392-gb3a13b81cb:
     + Upstream 14.2.10 release see
       https://ceph.io/releases/v14-2-10-nautilus-released/
       * mgr: Improve internal python to c++ interface (bsc#1167477)

   - Update to 14.2.9-970-ged84cae0c9:
     + rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader
       (bsc#1171921, CVE-2020-10753)

   - Update to 14.2.9-969-g9917342dc8d:
     * rebase on top of upstream nautilus, SHA1
       ccd9c04f88e53aef7e4f1068ce1221fa3b97450d
     * cmake: Improve test for 16-byte atomic support on IBM Z
     * (jsc#SES-680) monitoring: add details to Prometheus alerts
     * (bsc#1155045) mgr/dashboard: add debug mode, and accept expected
       exception when SSL handshaking
     * (bsc#1152100) monitoring: alert for prediction of disk and pool fill
       up broken
     * (bsc#1155262) mgr/dashboard: iSCSI targets not available if any
       gateway is down
     * (bsc#1159689) os/bluestore: more flexible DB volume space usage
     * (bsc#1156087) ceph-volume: make get_devices fs location independent
     * (bsc#1156409) monitoring: wait before firing osd full alert
     * (bsc#1160626) mgr/dashboard: Unable to remove an iSCSI gateway that is
       already in use
     * (bsc#1161718) mount.ceph: remove arbitrary limit on size of name=
       option
     * (bsc#1162553) ceph-volume: strip _dmcrypt suffix in simple scan json
       output
     * (bsc#1163119) mgr/dashboard: Not able to restrict bucket creation for
       new user
     * (bsc#1164571) mgr/dashboard: Prevent iSCSI target recreation when
       editing controls
     * (bsc#1165713) mgr/dashboard: Repair broken grafana panels
     * (bsc#1165835) rgw: get barbican secret key request maybe return error
       code
     * (bsc#1165840) rgw: making implicit_tenants backwards compatible
     * (bsc#1166297) mgr/dashboard: Repair broken grafana panels
     * (bsc#1166393) mgr/dashboard: KeyError on dashboard reload
     * (bsc#1166624) mgr/dashboard: Fix iSCSI's username and password
       validation
     * (bsc#1166670) monitoring: root volume full alert fires false positives
     * (bsc#1166932) mgr: synchronize ClusterState's health and mon_status
     * (bsc#1168403) mgr/dashboard: Add more debug information to Dashboard
       RGW backend
     * (bsc#1169356) rgw: reshard: skip stale bucket id entries from reshard
       queue
     * (bsc#1170938) mon/OSDMonitor: allow trimming maps even if osds are down
     * (bsc#1171367) Set OSD's bluefs-buffered-io param to false by default

   - Version: 0.9.33
   - drop workarounds for old ceph-volume lvm batch command

   - runners/upgrade: Add SES6->7 pre-upgrade checks


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Enterprise Storage 6:

      zypper in -t patch SUSE-Storage-6-2020-3257=1



Package List:

   - SUSE Enterprise Storage 6 (noarch):

      deepsea-0.9.33+git.0.ed16d26e-3.27.1
      deepsea-cli-0.9.33+git.0.ed16d26e-3.27.1


References:

   https://www.suse.com/security/cve/CVE-2020-10753.html
   https://bugzilla.suse.com/1151612
   https://bugzilla.suse.com/1152100
   https://bugzilla.suse.com/1155045
   https://bugzilla.suse.com/1155262
   https://bugzilla.suse.com/1156087
   https://bugzilla.suse.com/1156409
   https://bugzilla.suse.com/1158257
   https://bugzilla.suse.com/1159689
   https://bugzilla.suse.com/1160626
   https://bugzilla.suse.com/1161718
   https://bugzilla.suse.com/1162553
   https://bugzilla.suse.com/1163119
   https://bugzilla.suse.com/1164571
   https://bugzilla.suse.com/1165713
   https://bugzilla.suse.com/1165835
   https://bugzilla.suse.com/1165840
   https://bugzilla.suse.com/1166297
   https://bugzilla.suse.com/1166393
   https://bugzilla.suse.com/1166624
   https://bugzilla.suse.com/1166670
   https://bugzilla.suse.com/1166932
   https://bugzilla.suse.com/1167477
   https://bugzilla.suse.com/1168403
   https://bugzilla.suse.com/1169134
   https://bugzilla.suse.com/1169356
   https://bugzilla.suse.com/1170487
   https://bugzilla.suse.com/1170938
   https://bugzilla.suse.com/1171367
   https://bugzilla.suse.com/1171921
   https://bugzilla.suse.com/1171956
   https://bugzilla.suse.com/1172142
   https://bugzilla.suse.com/1173339
   https://bugzilla.suse.com/1174591
   https://bugzilla.suse.com/1175061
   https://bugzilla.suse.com/1175240
   https://bugzilla.suse.com/1175781