Red Hat Product Errata RHSA-2015:1092 - Security Advisory

Issued:: 2015-06-11
Updated:: 2015-06-11

RHSA-2015:1092 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: ceph-deploy security update

Type/Severity

Security Advisory: Moderate

Topic

An updated ceph-deploy package that fixes two security issues is now
available for Red Hat Ceph Storage.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Description

Red Hat Ceph Storage is a massively scalable, open, software-defined
storage platform that combines the most stable version of Ceph with a Ceph
management platform, deployment tools, and support services.

It was discovered that ceph-deploy, a utility for deploying Red Hat Ceph
Storage, would create the keyring file with world readable permissions,
which could possibly allow a local user to obtain authentication
credentials from the keyring file. (CVE-2015-3010, CVE-2015-4053)

All ceph-deploy users are advised to upgrade to this updated package, which
contains backported patches to correct these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Ceph Storage 1.2 for RHEL 7 x86_64
Red Hat Ceph Storage 1.2 for RHEL 6 x86_64

Fixes

BZ - 1210705 - CVE-2015-3010 ceph-deploy: keyring permissions are world readable in ~ceph
BZ - 1224129 - CVE-2015-4053 ceph-deploy admin command copies keyring file to /etc/ceph which is world readable

CVEs

References

http://www.redhat.com/security/updates/classification/#normal

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Ceph Storage 1.2 for RHEL 7

SRPM
ceph-deploy-1.5.22-0.4.rc1.el7cp.src.rpm	SHA-256: fce928d1c11218b364414a441283ae163805f21da6948dcac74c91a9ccb4afec
x86_64
ceph-deploy-1.5.22-0.4.rc1.el7cp.noarch.rpm	SHA-256: 1844704cbfeaf4656fcad5f2282c4b9b094a51088c9ce0d1f5bc06af21919585

Red Hat Ceph Storage 1.2 for RHEL 6

SRPM
ceph-deploy-1.5.22-0.4.rc1.el6cp.src.rpm	SHA-256: f5f14cfa69a717f3f683e29ba86cb3ddc67a49ffe7754ad1684237223518c4b9
x86_64
ceph-deploy-1.5.22-0.4.rc1.el6cp.noarch.rpm	SHA-256: 5bd7b531bc18e6e4a143d075c33e3c9a08a62403ba25ca16dfcc838a9d87b679

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories