-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: redhat-virtualization-host security update
Advisory ID:       RHSA-2019:0457-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:0457
Issue date:        2019-03-05
CVE Names:         CVE-2019-3813 CVE-2019-3831 CVE-2019-6454 
====================================================================
1. Summary:

An update for redhat-virtualization-host is now available for Red Hat
Virtualization 4 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL 7-based RHEV-H for RHEV 4 (build requirements) - noarch, x86_64
Red Hat Virtualization 4 Hypervisor for RHEL 7 - noarch

3. Description:

The redhat-virtualization-host packages provide the Red Hat Virtualization
Host. These packages include redhat-release-virtualization-host,
ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are
installed using a special build of Red Hat Enterprise Linux with only the
packages required to host virtual machines. RHVH features a Cockpit user
interface for monitoring the host's resources and performing administrative
tasks.

The following packages have been upgraded to a later upstream version:
redhat-release-virtualization-host (4.2), redhat-virtualization-host (4.2).
(BZ#1678629, BZ#1679414)

Security Fix(es):

* spice: Off-by-one error in array access in spice/server/memslot.c
(CVE-2019-3813)

* systemd: Insufficient input validation in bus_process_object() resulting
in PID 1 crash (CVE-2019-6454)

* vdsm: privilege escalation to root via systemd_run (CVE-2019-3831)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

1665371 - CVE-2019-3813 spice: Off-by-one error in array access in spice/server/memslot.c
1667032 - CVE-2019-6454 systemd: Insufficient input validation in bus_process_object() resulting in PID 1 crash
1677108 - CVE-2019-3831 vdsm: privilege escalation to root via systemd_run
1677667 - Tracker for RHV-H 4.2.8 Async #3

6. Package List:

Red Hat Virtualization 4 Hypervisor for RHEL 7:

Source:
redhat-virtualization-host-4.2-20190219.0.el7_6.src.rpm

noarch:
redhat-virtualization-host-image-update-4.2-20190219.0.el7_6.noarch.rpm

RHEL 7-based RHEV-H for RHEV 4 (build requirements):

Source:
redhat-release-virtualization-host-4.2-8.3.el7.src.rpm

noarch:
redhat-virtualization-host-image-update-placeholder-4.2-8.3.el7.noarch.rpm

x86_64:
redhat-release-virtualization-host-4.2-8.3.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-3813
https://access.redhat.com/security/cve/CVE-2019-3831
https://access.redhat.com/security/cve/CVE-2019-6454
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXH5Zf9zjgjWX9erEAQg13RAAlFuj4ZR4eZHL+Tnnp0kDUm9N61dNhnZK
Ct2hwRsqA48xKzTL9GDzl9WOU7CFwfljyhxXNJNrdvOz9PjUewmu5PF8cVaktzbh
ejeqjyCTCUQq4c4BMZvhiiIhu6oVZATau1l7AAGXxu3H5OCPNLA3HhluD60CuImC
tLycP0fqDh5LFMNgYZReEJzqffr7a8Kfo1gi1JGCU929QSuUJyA6mUGzQC8wS4O8
94YDE7TnN2snHdQyS+3ZnuQs06QjzW8nlztKKKTaUCa9W0dJeHwUW0ft7moZKLjY
TTgR9l7JNsXiMYgdpfQn8agC/Q6SqcL4uHFuDZDWyZVszPOxOLWEy9XFBzROTrZE
NmPBnXFLLPBZT3kJZIjzjlV7nPZCpqrskdOAs50oxQg/9Il25IOkmph6/OcaYyfm
X892Dy88kRRPC0Lcx5YxB6ghACeLJE4p7Oky4m6O8X5jfiSYpVIMSZK0ilk/AXjV
dE+rGu0M4NwCwWFC/gUut2F6FLbe8PR+7m/whpQSov7E8Lt1uv/S6PGfVinw1K2d
VOPqt3Y91MM76NZpBaV+yE8z07lOZ1WChGegNHDJghw+rfWbpRbiI5iLPyayq+Ok
7fXTYjDGXet1/LKjUHyCjGzHS2yeI+LzzWqUkA1Wxh3acI+E4o1rGo+XROpk+fbV
nZWjsIyzkqY=+iAa
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2019-0457:01 Important: redhat-virtualization-host security

An update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Summary

The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
The following packages have been upgraded to a later upstream version: redhat-release-virtualization-host (4.2), redhat-virtualization-host (4.2). (BZ#1678629, BZ#1679414)
Security Fix(es):
* spice: Off-by-one error in array access in spice/server/memslot.c (CVE-2019-3813)
* systemd: Insufficient input validation in bus_process_object() resulting in PID 1 crash (CVE-2019-6454)
* vdsm: privilege escalation to root via systemd_run (CVE-2019-3831)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/2974891

References

https://access.redhat.com/security/cve/CVE-2019-3813 https://access.redhat.com/security/cve/CVE-2019-3831 https://access.redhat.com/security/cve/CVE-2019-6454 https://access.redhat.com/security/updates/classification/#important

Package List

Red Hat Virtualization 4 Hypervisor for RHEL 7:
Source: redhat-virtualization-host-4.2-20190219.0.el7_6.src.rpm
noarch: redhat-virtualization-host-image-update-4.2-20190219.0.el7_6.noarch.rpm
RHEL 7-based RHEV-H for RHEV 4 (build requirements):
Source: redhat-release-virtualization-host-4.2-8.3.el7.src.rpm
noarch: redhat-virtualization-host-image-update-placeholder-4.2-8.3.el7.noarch.rpm
x86_64: redhat-release-virtualization-host-4.2-8.3.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2019:0457-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2019:0457
Issued Date: : 2019-03-05
CVE Names: CVE-2019-3813 CVE-2019-3831 CVE-2019-6454

Topic

An update for redhat-virtualization-host is now available for Red HatVirtualization 4 for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

RHEL 7-based RHEV-H for RHEV 4 (build requirements) - noarch, x86_64

Red Hat Virtualization 4 Hypervisor for RHEL 7 - noarch


Bugs Fixed

1665371 - CVE-2019-3813 spice: Off-by-one error in array access in spice/server/memslot.c

1667032 - CVE-2019-6454 systemd: Insufficient input validation in bus_process_object() resulting in PID 1 crash

1677108 - CVE-2019-3831 vdsm: privilege escalation to root via systemd_run

1677667 - Tracker for RHV-H 4.2.8 Async #3


Related News

13.Lock StylizedMotherboard Esm H320
1 - 2 min read
Spiral Linux is a Debian-based distribution that offers a range of desktop environments, making it stand out from other Linux distributions. In
32.Lock Code Circular Esm H320
2 - 3 min read
Two critical security vulnerabilities were found in pgAdmin, the open-source administration tool for PostgreSQL . The vulnerabilities assigned
1.Penguin Landscape Esm H320
2 - 3 min read
The recent release of AlmaLinux 9.4 , closely aligned with Red Hat Enterprise Linux (RHEL) 9.4 , presents Linux admins and infosec professionals
11.Locks IsometricPattern Esm H320
2 - 3 min read
The upcoming release of Linux Mint 22 will introduce significant changes, particularly in handling XApp , GNOME applications, and the Software
2.Motherboard Esm H320
2 - 3 min read
German software engineer Lennart Poettering recently presented run0 , a new tool in systemd v256 that aims to address the security concerns
22.Lock ScreenEffect Esm H320
2 - 3 min read
Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to
8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
20.Lock AbstractDigital Circular Esm H320
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server. The vulnerabilities affected
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved