From bugzilla at redhat.com Fri Aug 7 01:40:56 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 7 Aug 2015 01:40:56 +0000 Subject: [RHSA-2015:1579-01] Moderate: ceph-deploy security update Message-ID: <201508070141.t771ewZ1004595@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ceph-deploy security update Advisory ID: RHSA-2015:1579-01 Product: Red Hat Ceph Storage Advisory URL: https://access.redhat.com/errata/RHSA-2015:1579 Issue date: 2015-08-07 CVE Names: CVE-2015-3010 CVE-2015-4053 ===================================================================== 1. Summary: An updated ceph-deploy package that fixes two security issues is now available in Red Hat Ceph Storage for Ubuntu 12.04 and Ubuntu 14.04. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat Ceph Storage is a massively scalable, open, software-defined storage platform that combines the most stable version of Ceph with a Ceph management platform, deployment tools, and support services. It was discovered that ceph-deploy, a utility for deploying Red Hat Ceph Storage, would create the keyring file with world readable permissions, which could possibly allow a local user to obtain authentication credentials from the keyring file. (CVE-2015-3010, CVE-2015-4053) ceph has been upgraded from v0.80.8.1 to v0.80.8.2. This upgrade fixes the following bugs: - - .rgw pool contains extra objects (rhbz #1212524) - - rgw bucket/object owner override when setting acls (rhbz #1214051) - - librbd: aio calls may block (rhbz #1225172) ice_setup has been upgraded from v0.3.0-2 to v0.3.2. This upgrade fixes a bug where ice_setup would crash if the "setuptools" Python package was not already installed on the Calamari admin node. (rhbz #1212045) All ceph-deploy users are advised to upgrade to this updated package, which contains backported patches to correct these issues. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Refer to Knowledge Base article https://access.redhat.com/articles/1554343 for download link and signing information. 4. Bugs fixed (https://bugzilla.redhat.com/): 1210705 - CVE-2015-3010 ceph-deploy: keyring permissions are world readable in ~ceph 1224129 - CVE-2015-4053 ceph-deploy admin command copies keyring file to /etc/ceph which is world readable 5. References: https://access.redhat.com/security/cve/CVE-2015-3010 https://access.redhat.com/security/cve/CVE-2015-4053 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/articles/1554343 https://access.redhat.com/articles/1372203 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVxAx6XlSAg2UNWIIRAif0AKC5mXm6brcEHOliaLOQ7bLIjB56YACdGKF9 Zaire6nRS3/EFLND0quOp3o= =Akux -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 17 07:34:40 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 17 Aug 2015 07:34:40 +0000 Subject: [RHSA-2015:1631-01] Moderate: ceph-deploy security update Message-ID: <201508170734.t7H7YgKn014329@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ceph-deploy security update Advisory ID: RHSA-2015:1631-01 Product: Red Hat Ceph Storage Advisory URL: https://access.redhat.com/errata/RHSA-2015:1631 Issue date: 2015-08-17 CVE Names: CVE-2015-3010 CVE-2015-4053 ===================================================================== 1. Summary: An updated ceph-deploy package that fixes two security issues is now available in Red Hat Ceph Storage 1.2 for CentOS 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat Ceph Storage is a massively scalable, open, software-defined storage platform that combines the most stable version of Ceph with a Ceph management platform, deployment tools, and support services. It was discovered that ceph-deploy, a utility for deploying Red Hat Ceph Storage, would create the keyring file with world readable permissions, which could possibly allow a local user to obtain authentication credentials from the keyring file. (CVE-2015-3010, CVE-2015-4053) ceph has been upgraded from v0.80.8.1 to v0.80.8.2. This upgrade fixes the following bugs: * .rgw pool contains extra objects (BZ#1212524) * rgw bucket/object owner override when setting acls (BZ#1214051) * librbd: aio calls may block (BZ#1225172) ice_setup has been upgraded from v0.3.0-2 to v0.3.2. This upgrade fixes a bug where ice_setup would crash if the "setuptools" Python package was not already installed on the Calamari admin node. (rhbz #1212045) All ceph-deploy users are advised to upgrade to this updated package, which corrects these issues. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Refer to the following Knowledge Base article for a download link and signing information: https://access.redhat.com/articles/1560193 4. Bugs fixed (https://bugzilla.redhat.com/): 1210705 - CVE-2015-3010 ceph-deploy: keyring permissions are world readable in ~ceph 1224129 - CVE-2015-4053 ceph-deploy admin command copies keyring file to /etc/ceph which is world readable 5. References: https://access.redhat.com/security/cve/CVE-2015-3010 https://access.redhat.com/security/cve/CVE-2015-4053 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/articles/1560193 https://access.redhat.com/articles/1372203 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFV0Y4rXlSAg2UNWIIRAv0nAKCzbTrzyCPibULiBSV4FKVgxDmPFgCbBZgz +eQGaTrGu42L+FwB9rCOG1w= =FPaz -----END PGP SIGNATURE-----