SUSE: 2023:626-1 ses/7.1/cephcsi/cephcsi Security Update
Summary
Advisory ID: SUSE-SU-2023:604-1 Released: Thu Mar 2 15:51:55 2023 Summary: Security update for python-cryptography, python-cryptography-vectorsType: security Severity: important Advisory ID: SUSE-RU-2023:676-1 Released: Wed Mar 8 14:33:23 2023 Summary: Recommended update for libxml2 Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:680-1 Released: Wed Mar 8 17:14:06 2023 Summary: Security update for libxslt Type: security Severity: important Advisory ID: SUSE-RU-2023:711-1 Released: Sun Mar 12 12:59:43 2023 Summary: Recommended update for ceph-csi Type: recommended Severity: moderate
References
References : 1178168 1182066 1198331 1199282 1204585 1208574 CVE-2020-25659
CVE-2020-36242 CVE-2021-30560
1178168,1182066,1198331,1199282,CVE-2020-25659,CVE-2020-36242
This update for python-cryptography, python-cryptography-vectors fixes the following issues:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- CVE-2020-36242: Fixed a bug where certain sequences of update() calls could result in integer overflow (bsc#1182066).
- CVE-2020-25659: Fixed Bleichenbacher vulnerabilities (bsc#1178168).
- update to 3.3.2 (bsc#1198331)
1204585
This update for libxml2 fixes the following issues:
- Add W3C conformance tests to the testsuite (bsc#1204585):
* Added file xmlts20080827.tar.gz
1208574,CVE-2021-30560
This update for libxslt fixes the following issues:
- CVE-2021-30560: Fixing a use after free vulnerability in Blink XSLT (bsc#1208574).
This update for ceph-csi fixes the following issues:
- Update to 3.8.0
Features:
- RBD
- fscrypt support
- Add fscrypt integration with the Ceph CSI KMS. Supports ext4 on RBD. Snapshots are supported as well.
- Brief docs for fscrypt support
- Provide new command line configuration to enable read affinity
- CephFS
- Shallow volumes for the ROX accessModes by default
- Shallow volumes as default for cephfs ROX clones/restore for better performance.
- Add fscrypt support for volumes, snapshots, and clones
- There are dependencies with kernel and ceph
Enhancements:
- Update kubernetes dependencies to 1.26.1
* Update go-ceph to 0.20.0
* Update packages in release image
* Add basic upgrade documentation for Helm Charts
* Update rook installation to default latest version
* Add extraArgs for sidecars * csidriver added to helper scripts
* Lift the minimum supported version of ceph to v15.0.0
* Update csi spec to v1.7.0
* Add commonLabels value to helm charts
Bug Fixes:
* Make inode metrics optional in FilesystemNodeGetVolumeStats for CephFS
* Discover if StagingTargetPath in NodeExpandVolume exists
* Set disableInUseChecks on rbd volume
* Skip expanding for BackingSnapshot volume
* Fix CVEs in image
* Ignore stderr for ceph osd blocklist when there is no error
* Check volume details from original volumeID
* Setup encryption if rbdVol exits during CreateVol
* Return error if last sync time is not present
* Return abnormal if the mount is corrupted
* Fix namespace name update in metadata and rados object
* Remove dummy image workaround
* Get description from remote status
- Fix mdl configuration
- ParseAcceptLanguage takes a long time to parse complex tags
E2E:
- Run E2E tests with kubernetes v1.26 release
- Many tests are added to make sure we stay with backward compatibility for existing features of v3.7
- New tests are added for features introduced in this release
- Lots of cleanup and deprecated API removals were done on the test framework
CI:
- Update golang to 1.19.5
- Many Mergify enhancements for better CI resource utilization
- Add GitHub action to trigger E2E
Breaking Changes:
- Removal of option to run cephcsi as both controller and node server.
The following package changes have been done:
- ceph-csi-3.8.0+git0.e13e72a-150300.3.9.1 updated
- libxml2-2-2.9.7-150000.3.54.1 updated
- libxslt1-1.1.32-150000.3.14.1 updated
- python3-cryptography-3.3.2-150200.16.1 updated
- container:ceph-image-1.0.0-3.2.416 updated
