SUSE Container Update Advisory: ses/6/cephcsi/cephcsi
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2019:773-1
Container Tags        : ses/6/cephcsi/cephcsi:1.2.0.0 , ses/6/cephcsi/cephcsi:1.2.0.0.1.5.63 , ses/6/cephcsi/cephcsi:latest
Container Release     : 1.5.63
Severity              : important
Type                  : security
References            : 1103320 1132767 1132767 1134444 1134444 1135584 1135584 1137503
                        1137503 1140491 1140491 1141174 1141174 1145093 1145093 1145617
                        1145617 1145618 1145618 1145759 1145759 1146656 1146656 1147132
                        1147132 1149093 1149093 1150406 1150406 1151439 1151439 1151990
                        1151990 1151991 1151991 1151992 1151992 1151993 1151993 1151994
                        1151994 1151995 1151995 1152002 1152002 1154019 1154036 1154037
                        1156282 CVE-2019-10222 CVE-2019-10222 CVE-2019-17594 CVE-2019-17595
-----------------------------------------------------------------

The container ses/6/cephcsi/cephcsi was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2736-1
Released:    Tue Oct 22 11:07:31 2019
Summary:     Security update for ceph, ceph-iscsi, ses-manual_en
Type:        security
Severity:    moderate
References:  1132767,1134444,1135584,1137503,1140491,1141174,1145093,1145617,1145618,1145759,1146656,1147132,1149093,1150406,1151439,1151990,1151991,1151992,1151993,1151994,1151995,1152002,CVE-2019-10222
This update for ceph, ceph-iscsi and ses-manual_en fixes the following issues:

Security issues fixed:

- CVE-2019-10222: Fixed RGW crash caused by unauthenticated clients. (bsc#1145093)

Non-security issues-fixed:

- ceph-volume: prints errors to stdout with --format json (bsc#1132767)
- mgr/dashboard: Changing rgw-api-host does not get effective without disable/enable
  dashboard mgr module (bsc#1137503)
- mgr/dashboard: Silence Alertmanager alerts (bsc#1141174)
- mgr/dashboard: Fix e2e failures caused by webdriver version (bsc#1145759) 
- librbd: always try to acquire exclusive lock when removing image (bsc#1149093)
- The no{up,down,in,out} related commands have been revamped (bsc#1151990)
- radosgw-admin gets two new subcommands for managing expire-stale objects. (bsc#1151991)
- Deploying a single new BlueStore OSD on a cluster upgraded to SES6 from SES5 breaks pool utilization stats reported by ceph df (bsc#1151992)
- Ceph cluster will no longer issue a health warning if CRUSH tunables are older than 'hammer' (bsc#1151993)
- Nautilus-based librbd clients can not open images on Jewel clusters (bsc#1151994)
- The RGW num_rados_handles has been removed in Ceph 14.2.3 (bsc#1151995)
- 'osd_deep_scrub_large_omap_object_key_threshold' has been lowered in Nautilus 14.2.3 (bsc#1152002)
- Support iSCSI target-level CHAP authentication (bsc#1145617)
- Validation and render of iSCSI controls based 'type' (bsc#1140491)
- Fix error editing iSCSI image advanced settings (bsc#1146656)
- Fix error during iSCSI target edit

Fixes in ses-manual_en:

- Added a new chapter with changelogs of Ceph releases. (bsc#1135584)
- Rewrote rolling updates and replaced running stage.0 with manual commands to prevent infinite loop. (bsc#1134444)
- Improved name of CaaSP to its fuller version. (bsc#1151439)
- Verify which OSD's are going to be removed before running stage.5. (bsc#1150406)
- Added two additional steps to recovering an OSD. (bsc#1147132)

Fixes in ceph-iscsi:

- Validate kernel LIO controls type and value (bsc#1140491)
- TPG lun_id persistence (bsc#1145618)
- Target level CHAP authentication (bsc#1145617)

ceph-iscsi was updated to the upstream 3.2 release:

- Always use host FQDN instead of shortname
- Validate min/max value for target controls and rbd:user/tcmu-runner image
  controls (bsc#1140491)


-----------------------------------------------------------------
Advisory ID: SUSE-OU-2019:2980-1
Released:    Thu Nov 14 22:45:33 2019
Summary:     Optional update for curl
Type:        optional
Severity:    low
References:  1154019
This update for curl doesn't address any user visible issues.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2994-1
Released:    Mon Nov 18 13:34:33 2019
Summary:     Security update for ceph
Type:        security
Severity:    important
References:  1132767,1134444,1135584,1137503,1140491,1141174,1145093,1145617,1145618,1145759,1146656,1147132,1149093,1150406,1151439,1151990,1151991,1151992,1151993,1151994,1151995,1152002,1156282,CVE-2019-10222


This update for ceph fixes the following issues:

- A previous update introduced a regression with the potential to cause RocksDB
  data corruption in Nautilus (bsc#1156282).

- Support for iSCSI target-level CHAP authentication was added (bsc#1145617).

- Implemented validation and rendering of iSCSI controls based 'type'
  (bsc#1140491).

- Fixed an error while editing iSCSI image advanced settings (bsc#1146656).

- Fixed a ceph-volume regression. SES customers were never exposed to this
  regression (bsc#1132767).

- Fixed a denial of service vulnerability where an unauthenticated client of
  Ceph Object Gateway could trigger a crash from an uncaught exception
  (bsc#1145093, CVE-2019-10222)

- Nautilus-based librbd clients could not open images on Jewel clusters
  (bsc#1151994).

- The RGW num_rados_handles has been removed (bsc#1151995).

- 'osd_deep_scrub_large_omap_object_key_threshold' has been lowered in Nautilus
  (bsc#1152002).

- The ceph dashboard now supports silencing Prometheus notifications
  (bsc#1141174).

- The no{up,down,in,out} related commands have been revamped (bsc#1151990).

- Radosgw-admin got two new subcommands for managing expire-stale objects
  (bsc#1151991)..

- Deploying a single new BlueStore OSD on a cluster upgraded to SES6 from SES5
  used to break pool utilization stats reported by ceph df (bsc#1151992).

- Ceph clusters will issue a health warning if CRUSH tunables are older than
  'hammer' (bsc#1151993).

- Ceph-volume prints errors to stdout with --format json (bsc#1132767).

- Changing rgw-api-host in the dashboard does not get effective without
  disable/enable dashboard mgr module (bsc#1137503).

- Silenced Alertmanager alerts in the dashboard (bsc#1141174).

- Fixed e2e failures in the dashboard caused by webdriver version (bsc#1145759)

- librbd always tries to acquire exclusive lock when removing image an
  (bsc#1149093).

Fixes in ses-manual_en:

- Added a new chapter with changelogs of Ceph releases. (bsc#1135584)
- Rewrote rolling updates and replaced running stage.0 with manual commands to prevent infinite loop. (bsc#1134444)
- Improved name of CaaSP to its fuller version. (bsc#1151439)
- Verify which OSD's are going to be removed before running stage.5. (bsc#1150406)
- Added two additional steps to recovering an OSD. (bsc#1147132)

Fixes in ceph-iscsi:

- Validate kernel LIO controls type and value (bsc#1140491)
- TPG lun_id persistence (bsc#1145618)
- Target level CHAP authentication (bsc#1145617)

ceph-iscsi was updated to the upstream 3.2 release:

- Always use host FQDN instead of shortname
- Validate min/max value for target controls and rbd:user/tcmu-runner image
  controls (bsc#1140491)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2997-1
Released:    Mon Nov 18 15:16:38 2019
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595
This update for ncurses fixes the following issues:

Security issues fixed:

- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).

Non-security issue fixed:

- Removed screen.xterm from terminfo database (bsc#1103320).


The following package changes have been done:

- ceph-base-14.2.4.386+g73475e3ee1-3.6.1 updated
- ceph-common-14.2.4.386+g73475e3ee1-3.6.1 updated
- ceph-fuse-14.2.4.386+g73475e3ee1-3.6.1 updated
- ceph-grafana-dashboards-14.2.4.386+g73475e3ee1-3.6.1 added
- ceph-mds-14.2.4.386+g73475e3ee1-3.6.1 updated
- ceph-mgr-dashboard-14.2.4.386+g73475e3ee1-3.6.1 updated
- ceph-mgr-diskprediction-local-14.2.4.386+g73475e3ee1-3.6.1 updated
- ceph-mgr-rook-14.2.4.386+g73475e3ee1-3.6.1 updated
- ceph-mgr-14.2.4.386+g73475e3ee1-3.6.1 updated
- ceph-mon-14.2.4.386+g73475e3ee1-3.6.1 updated
- ceph-osd-14.2.4.386+g73475e3ee1-3.6.1 updated
- ceph-radosgw-14.2.4.386+g73475e3ee1-3.6.1 updated
- ceph-14.2.4.386+g73475e3ee1-3.6.1 updated
- libcephfs2-14.2.4.386+g73475e3ee1-3.6.1 updated
- libcurl4-7.60.0-3.26.1 updated
- libncurses6-6.1-5.6.2 updated
- librados2-14.2.4.386+g73475e3ee1-3.6.1 updated
- librbd1-14.2.4.386+g73475e3ee1-3.6.1 updated
- librgw2-14.2.4.386+g73475e3ee1-3.6.1 updated
- ncurses-utils-6.1-5.6.2 updated
- python3-ceph-argparse-14.2.4.386+g73475e3ee1-3.6.1 updated
- python3-cephfs-14.2.4.386+g73475e3ee1-3.6.1 updated
- python3-rados-14.2.4.386+g73475e3ee1-3.6.1 updated
- python3-rbd-14.2.4.386+g73475e3ee1-3.6.1 updated
- python3-rgw-14.2.4.386+g73475e3ee1-3.6.1 updated
- rbd-mirror-14.2.4.386+g73475e3ee1-3.6.1 updated
- rbd-nbd-14.2.4.386+g73475e3ee1-3.6.1 updated
- terminfo-base-6.1-5.6.2 updated
- container:sles15-image-15.0.0-6.2.114 updated