Login
Newsletter
Werbung

Sicherheit: Mangelnde Rechteprüfung in grafana
Aktuelle Meldungen Distributionen
Name: Mangelnde Rechteprüfung in grafana
ID: RHSA-2019:0911-01
Distribution: Red Hat
Plattformen: Red Hat Ceph Storage
Datum: Di, 30. April 2019, 18:47
Referenzen: https://access.redhat.com/security/cve/CVE-2018-19039
Applikationen: grafana

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Ceph Storage 3.2 security, bug fix, and
enhancement update
Advisory ID: RHSA-2019:0911-01
Product: Red Hat Ceph Storage
Advisory URL: https://access.redhat.com/errata/RHSA-2019:0911
Issue date: 2019-04-30
CVE Names: CVE-2018-19039
=====================================================================

1. Summary:

An update is now available for Red Hat Ceph Storage 3.2.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Ceph Storage 3.2 MON - ppc64le, x86_64
Red Hat Ceph Storage 3.2 OSD - ppc64le, x86_64
Red Hat Ceph Storage 3.2 Tools - noarch, ppc64le, x86_64

3. Description:

Red Hat Ceph Storage is a scalable, open, software-defined storage platform
that combines the most stable version of the Ceph storage system with a
Ceph management platform, deployment utilities, and support services.

Security Fix(es):

* grafana: File exfiltration (CVE-2018-19039)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es) and Enhancement(s)

For detailed information on changes in this release, see the Red Hat Ceph
Storage 3.2 Release Notes available at:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3.2/html
/release_notes/index

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1506782 - osd_scrub_auto_repair not working as expected
1540881 - [CEE/SD] monitor_interface with "-" in the name fails with
"msg": "'dict object' has no attribute u'ansible_bond-monitor-interface'"
1593110 - Ceph mgr daemon crashing after starting balancer module in automatic
mode
1600138 - [Bluestore]: one of the osds flapped multiple times with 1525: FAILED
assert(0 == "bluefs enospc")
1636251 - ceph-keys fails if RHEL is configured in FIPS mode
1638092 - Default crush rule is not enforced
1639833 - [RFE] Enabling CRUSH device classes should not incur data movement in
the cluster
1648168 - ceph-validate : devices are not validated in non-collocated and
lvm_batch scenario
1649697 - CVE-2018-19039 grafana: File exfiltration
1653307 - [ceph-ansible] - lvms not removed while purging cluster
1656935 - ceph-ansible: purge-cluster.yml fails when initiated second time
1660962 - rgw does not support delimiter as a string it only supports a single
character [consulting]
1664869 - [RFE] Support configuring multiple RGW endpoints in ceph-ansible for
RGW multisite
1666407 - MDS may hang at startup if PurgeQueue metadata objects are damaged
1666408 - ceph-fuse may miss reconnect during MDS switch
1666409 - MDS should allow configuration of heartbeat timeout
1668050 - [RFE] RGW OPA authorization tech preview
1668362 - Verify PG recovery control / 3 line items from BB spreadsheet
1669901 - [RFE] Implement mechanism and command to change/reset bucket objects
owner / RGW bucket chown
1670165 - Bucket lifecycle: bucket is not getting added to lc list
when`'NoncurrentVersionExpiration': {'NoncurrentDays': 2}` is set
1670321 - [GSS] Downloads are corrupted when using RGW with civetweb as
frontend
1670663 - [Ceph-Ansible][ceph-containers] Add new OSD node to the existing ceph
cluster is failing with '--limit osds' option
1672333 - Optimize MDS stale cap revoke behavior
1672878 - [Ceph-Ansible][ceph-containers] Missing permission for MDS in
client.admin
1673687 - Failure creating ceph.conf for mon - No first item, sequence was
empty.
1674549 - [cee/sd][ceph-mgr] luminous: deadlock in standby ceph-mgr daemons
1678470 - BlueStore OSD crashes in _do_read - BlueStore::_do_read
1679263 - radosgw-admin bucket limit check stuck generating high read ops with
> 999 buckets per user [Consulting]
1680171 - containerized radosgw requires higher --cpu-quota as default
1683997 - permissions in /var/lib/ceph/mon aren't set properly
1684146 - Ability to start ceph daemons with numactl
1684283 - Ceph Containers SSL support - Daemons like RGW when using
rgw-multisite causing an issue in communication and sync stuck
1684289 - Testing RGW Multi-site SSL support
1684435 - Bucket lifecycle: Current version of the object does not get deleted
for Tag based filters.
1684642 - [RFE] rgw-multisite: add perf counters to data sync
1685733 - MDS may abort when handling deleted file
1685735 - Monitors will assign standby-replay to degraded ranks
1687038 - os/filestore: ceph_abort() on fsync(2) or fdatasync(2) failure
1687039 - osd/PG.cc: account for missing set irrespective of last_complete
1687041 - mon/OSDMonitor: do not populate void pg_temp into nextmap
1687567 - rgw: use of PK11_ImportSymKey implies non-FIPS-compliant key
management workflow (blocks FIPS)
1687828 - [cee/sd][ceph-ansible] rolling-update.yml does not restart nvme osds
running in containers
1688330 - Request for backport for fixed issue https://tracker.ceph.com/issues/21533
1688378 - ops waiting for resharding to complete may not be able to complete
when resharding does complete
1688541 - command `radosgw-admin bi put` not rightly set the mtime
1688869 - rgw: Lifecyle: handle resharded buckets
1689266 - rgw: unordered bucket listing markers do not handle adorned object
names correctly
1689410 - s3cmd info not working on Ceph 3.2 (cors policies) giving 500
(Internal Server Error)
1690941 - Some multipart uploads with SSE-C are corrupted
1692555 - 'radosgw-admin sync status' does not show timestamps for
master zone
1693445 - rgw-multisite sync stuck recovering shard in already deleted
versioned bucket
1695174 - rgw: fix eval bucket policies and perms permissions for non-existent
objects
1699478 - rgw-multisite: log trimming does not make progress unless zones
'sync_from_all'
1701970 - Inefficient unordered bucket listing
1702311 - [cee/sd][ceph-ansible] shink-osd.yml is failing due to missing
osd_fsid in " ceph --cluster ceph osd find 0" output

6. Package List:

Red Hat Ceph Storage 3.2 MON:

Source:
ceph-12.2.8-128.el7cp.src.rpm

ppc64le:
ceph-base-12.2.8-128.el7cp.ppc64le.rpm
ceph-common-12.2.8-128.el7cp.ppc64le.rpm
ceph-debuginfo-12.2.8-128.el7cp.ppc64le.rpm
ceph-mgr-12.2.8-128.el7cp.ppc64le.rpm
ceph-mon-12.2.8-128.el7cp.ppc64le.rpm
ceph-selinux-12.2.8-128.el7cp.ppc64le.rpm
libcephfs-devel-12.2.8-128.el7cp.ppc64le.rpm
libcephfs2-12.2.8-128.el7cp.ppc64le.rpm
librados-devel-12.2.8-128.el7cp.ppc64le.rpm
librados2-12.2.8-128.el7cp.ppc64le.rpm
libradosstriper1-12.2.8-128.el7cp.ppc64le.rpm
librbd-devel-12.2.8-128.el7cp.ppc64le.rpm
librbd1-12.2.8-128.el7cp.ppc64le.rpm
librgw-devel-12.2.8-128.el7cp.ppc64le.rpm
librgw2-12.2.8-128.el7cp.ppc64le.rpm
python-cephfs-12.2.8-128.el7cp.ppc64le.rpm
python-rados-12.2.8-128.el7cp.ppc64le.rpm
python-rbd-12.2.8-128.el7cp.ppc64le.rpm
python-rgw-12.2.8-128.el7cp.ppc64le.rpm

x86_64:
ceph-base-12.2.8-128.el7cp.x86_64.rpm
ceph-common-12.2.8-128.el7cp.x86_64.rpm
ceph-debuginfo-12.2.8-128.el7cp.x86_64.rpm
ceph-mgr-12.2.8-128.el7cp.x86_64.rpm
ceph-mon-12.2.8-128.el7cp.x86_64.rpm
ceph-selinux-12.2.8-128.el7cp.x86_64.rpm
ceph-test-12.2.8-128.el7cp.x86_64.rpm
libcephfs-devel-12.2.8-128.el7cp.x86_64.rpm
libcephfs2-12.2.8-128.el7cp.x86_64.rpm
librados-devel-12.2.8-128.el7cp.x86_64.rpm
librados2-12.2.8-128.el7cp.x86_64.rpm
libradosstriper1-12.2.8-128.el7cp.x86_64.rpm
librbd-devel-12.2.8-128.el7cp.x86_64.rpm
librbd1-12.2.8-128.el7cp.x86_64.rpm
librgw-devel-12.2.8-128.el7cp.x86_64.rpm
librgw2-12.2.8-128.el7cp.x86_64.rpm
python-cephfs-12.2.8-128.el7cp.x86_64.rpm
python-rados-12.2.8-128.el7cp.x86_64.rpm
python-rbd-12.2.8-128.el7cp.x86_64.rpm
python-rgw-12.2.8-128.el7cp.x86_64.rpm

Red Hat Ceph Storage 3.2 OSD:

Source:
ceph-12.2.8-128.el7cp.src.rpm

ppc64le:
ceph-base-12.2.8-128.el7cp.ppc64le.rpm
ceph-common-12.2.8-128.el7cp.ppc64le.rpm
ceph-debuginfo-12.2.8-128.el7cp.ppc64le.rpm
ceph-osd-12.2.8-128.el7cp.ppc64le.rpm
ceph-selinux-12.2.8-128.el7cp.ppc64le.rpm
libcephfs-devel-12.2.8-128.el7cp.ppc64le.rpm
libcephfs2-12.2.8-128.el7cp.ppc64le.rpm
librados-devel-12.2.8-128.el7cp.ppc64le.rpm
librados2-12.2.8-128.el7cp.ppc64le.rpm
libradosstriper1-12.2.8-128.el7cp.ppc64le.rpm
librbd-devel-12.2.8-128.el7cp.ppc64le.rpm
librbd1-12.2.8-128.el7cp.ppc64le.rpm
librgw-devel-12.2.8-128.el7cp.ppc64le.rpm
librgw2-12.2.8-128.el7cp.ppc64le.rpm
python-cephfs-12.2.8-128.el7cp.ppc64le.rpm
python-rados-12.2.8-128.el7cp.ppc64le.rpm
python-rbd-12.2.8-128.el7cp.ppc64le.rpm
python-rgw-12.2.8-128.el7cp.ppc64le.rpm

x86_64:
ceph-base-12.2.8-128.el7cp.x86_64.rpm
ceph-common-12.2.8-128.el7cp.x86_64.rpm
ceph-debuginfo-12.2.8-128.el7cp.x86_64.rpm
ceph-osd-12.2.8-128.el7cp.x86_64.rpm
ceph-selinux-12.2.8-128.el7cp.x86_64.rpm
ceph-test-12.2.8-128.el7cp.x86_64.rpm
libcephfs-devel-12.2.8-128.el7cp.x86_64.rpm
libcephfs2-12.2.8-128.el7cp.x86_64.rpm
librados-devel-12.2.8-128.el7cp.x86_64.rpm
librados2-12.2.8-128.el7cp.x86_64.rpm
libradosstriper1-12.2.8-128.el7cp.x86_64.rpm
librbd-devel-12.2.8-128.el7cp.x86_64.rpm
librbd1-12.2.8-128.el7cp.x86_64.rpm
librgw-devel-12.2.8-128.el7cp.x86_64.rpm
librgw2-12.2.8-128.el7cp.x86_64.rpm
python-cephfs-12.2.8-128.el7cp.x86_64.rpm
python-rados-12.2.8-128.el7cp.x86_64.rpm
python-rbd-12.2.8-128.el7cp.x86_64.rpm
python-rgw-12.2.8-128.el7cp.x86_64.rpm

Red Hat Ceph Storage 3.2 Tools:

Source:
ceph-12.2.8-128.el7cp.src.rpm
ceph-ansible-3.2.15-1.el7cp.src.rpm
grafana-5.2.4-2.el7cp.src.rpm

noarch:
ceph-ansible-3.2.15-1.el7cp.noarch.rpm

ppc64le:
ceph-base-12.2.8-128.el7cp.ppc64le.rpm
ceph-common-12.2.8-128.el7cp.ppc64le.rpm
ceph-debuginfo-12.2.8-128.el7cp.ppc64le.rpm
ceph-fuse-12.2.8-128.el7cp.ppc64le.rpm
ceph-mds-12.2.8-128.el7cp.ppc64le.rpm
ceph-radosgw-12.2.8-128.el7cp.ppc64le.rpm
ceph-selinux-12.2.8-128.el7cp.ppc64le.rpm
libcephfs-devel-12.2.8-128.el7cp.ppc64le.rpm
libcephfs2-12.2.8-128.el7cp.ppc64le.rpm
librados-devel-12.2.8-128.el7cp.ppc64le.rpm
librados2-12.2.8-128.el7cp.ppc64le.rpm
libradosstriper1-12.2.8-128.el7cp.ppc64le.rpm
librbd-devel-12.2.8-128.el7cp.ppc64le.rpm
librbd1-12.2.8-128.el7cp.ppc64le.rpm
librgw-devel-12.2.8-128.el7cp.ppc64le.rpm
librgw2-12.2.8-128.el7cp.ppc64le.rpm
python-cephfs-12.2.8-128.el7cp.ppc64le.rpm
python-rados-12.2.8-128.el7cp.ppc64le.rpm
python-rbd-12.2.8-128.el7cp.ppc64le.rpm
python-rgw-12.2.8-128.el7cp.ppc64le.rpm
rbd-mirror-12.2.8-128.el7cp.ppc64le.rpm

x86_64:
ceph-base-12.2.8-128.el7cp.x86_64.rpm
ceph-common-12.2.8-128.el7cp.x86_64.rpm
ceph-debuginfo-12.2.8-128.el7cp.x86_64.rpm
ceph-fuse-12.2.8-128.el7cp.x86_64.rpm
ceph-mds-12.2.8-128.el7cp.x86_64.rpm
ceph-radosgw-12.2.8-128.el7cp.x86_64.rpm
ceph-selinux-12.2.8-128.el7cp.x86_64.rpm
grafana-5.2.4-2.el7cp.x86_64.rpm
libcephfs-devel-12.2.8-128.el7cp.x86_64.rpm
libcephfs2-12.2.8-128.el7cp.x86_64.rpm
librados-devel-12.2.8-128.el7cp.x86_64.rpm
librados2-12.2.8-128.el7cp.x86_64.rpm
libradosstriper1-12.2.8-128.el7cp.x86_64.rpm
librbd-devel-12.2.8-128.el7cp.x86_64.rpm
librbd1-12.2.8-128.el7cp.x86_64.rpm
librgw-devel-12.2.8-128.el7cp.x86_64.rpm
librgw2-12.2.8-128.el7cp.x86_64.rpm
python-cephfs-12.2.8-128.el7cp.x86_64.rpm
python-rados-12.2.8-128.el7cp.x86_64.rpm
python-rbd-12.2.8-128.el7cp.x86_64.rpm
python-rgw-12.2.8-128.el7cp.x86_64.rpm
rbd-mirror-12.2.8-128.el7cp.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-19039
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3.2/html/release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXMhwvNzjgjWX9erEAQiwhQ//SVOoOCYRrruTi62M+bR1loq2c0MEV7Ob
8gtRWVr1ojuoX1zkeOfCXUoiHIbxUgCjBCxs9QGSuhaI+IwaXVrXjkg9jfzJGmcP
s8T0ueoaDPYymPUHmPQ9OQ33TW6DwH+VKVj6TD1WuIHXByafGyaS2BRnQS87xmz8
BDozP11kM0U5CLokss+nZaIJ+xmWBoKypcHxbWrj9uS5uQIKY/wk6mjLb+w29sS4
UVD8gHyS9++gcFvyOpZ89Y2xaVbmp9paya9Yd2WWKILKT8p0qNuN+pi6YEQ7231m
s4jFgFF6d4BvBcH9KTuWCthVHgq6moCbm4+Rfakc8RBm82bcaDHcC4Uukj4K9JCH
J9mwiMINFKF5BLUQlmTyrFPF7o6boHGqisUTbP9B7J6o1MBixNsDMNoTgZMPhQLL
kWOMJbu67axB9IpEsO4emNj29+fQtvL68HVEQUmwOnBpnRR1WYa8mkApPmgLdbI2
ndptApCCdpKwO5FwOCgP0bQ8yG1tlS3/LN0O0Qr07esayGykIZPwI1m7z0R4JYyB
vVOmn5/vnNSl2gQjJtwXEEqdWph/+iNFjUd9EzifeTJonvAdfCYr9YzkTl0L2TM7
sF3b51bXX2dbQww1dbsQYGrMJ6w+ZN91QeaquHi/TqgU9GbHFkMRscb0mKvOUkrh
8I3/VlPfwK0=
=UJED
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung