SUSE-SU-2016:0806-1

CVE-2015-5245: A CRLF injection vulnerability in the Ceph Object Gateway (aka radosgw or RGW) could allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted bucket name. (bsc#945206)

The following non-security issues have been fixed:

Move ceph-rbdnamer binary from package 'ceph' to 'ceph-common'. (bsc#965619)
Install /usr/bin/radosgw with mode 0750 and owner root:www. (bsc#964907)
Loop over all ceph-related systemd units on rpm removal. (bsc#941628)
Perform ceph-disk activate in separate systemd services, rather than in udev directly. (bsc#926756)
Add hyphen to systemctl reload in logrotate.conf to avoid matching ceph.target. (bsc#931451)

Ceph 0.8.11 also brings a significant number of bug fixes and enhancements. For a comprehensive list please refer to the package's change log.

References

Affected packages

SUSE:Enterprise Storage 1.0 / ceph

Package

Name: ceph
Purl: pkg:rpm/suse/ceph&distro=SUSE%20Enterprise%20Storage%201.0

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.80.11-8.1

Ecosystem specific

{
    "binaries": [
        {
            "python-ceph": "0.80.11-8.1",
            "ceph-radosgw": "0.80.11-8.1",
            "librbd1": "0.80.11-8.1",
            "rbd-fuse": "0.80.11-8.1",
            "ceph-fuse": "0.80.11-8.1",
            "librados2": "0.80.11-8.1",
            "ceph": "0.80.11-8.1",
            "ceph-test": "0.80.11-8.1",
            "ceph-common": "0.80.11-8.1",
            "libcephfs1": "0.80.11-8.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2016:0806-1.json"