RedHat: RHSA-2019-1968:01 Important: qemu-kvm-rhev security and bug fix

    Date 30 Jul 2019
    3298
    Posted By LinuxSecurity Advisories
    An update for qemu-kvm-rhev is now available for Red Hat Virtualization for Red Hat Virtualization Host 7. Red Hat Product Security has rated this update as having a Important security impact. A Common Vulnerability Scoring System (CVSS) base score,
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Important: qemu-kvm-rhev security and bug fix update
    Advisory ID:       RHSA-2019:1968-01
    Product:           Red Hat Virtualization
    Advisory URL:      https://access.redhat.com/errata/RHSA-2019:1968
    Issue date:        2019-07-30
    CVE Names:         CVE-2018-20815 CVE-2019-6778 
    =====================================================================
    
    1. Summary:
    
    An update for qemu-kvm-rhev is now available for Red Hat Virtualization for
    Red Hat Virtualization Host 7.
    
    Red Hat Product Security has rated this update as having a Important
    security impact. A Common Vulnerability Scoring System (CVSS) base score,
    which gives a detailed severity rating, is available for each vulnerability
    from the CVE link(s) in the References section.
    
    2. Relevant releases/architectures:
    
    RHV-M 4.2 - x86_64
    RHV-M 4.3 - x86_64
    Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - ppc64le, x86_64
    
    3. Description:
    
    KVM (Kernel-based Virtual Machine) is a full virtualization solution for
    Linux on a variety of architectures. The qemu-kvm-rhev packages provide the
    user-space component for running virtual machines that use KVM in
    environments managed by Red Hat products.
    
    Security Fix(es):
    
    * CVE-2018-20815 QEMU: device_tree: heap buffer overflow while loading
    device tree blob
    
    * CVE-2019-6778 QEMU: slirp: heap buffer overflow in tcp_em
    
    This update fixes the following bug:
    
    * 1705364  RHV VM pauses when 'dd' issued inside guest to a direct lun
    configured as virtio-scsi with scsi-passthrough
    
    Users of qemu-kvm are advised to upgrade to these updated packages. After
    installing this update, shut down all running virtual machines. Once all
    virtual machines have shut down, start them again for this update to take
    effect.
    
    4. Solution:
    
    Before applying this update, make sure all previously released errata
    relevant to your system have been applied.
    
    For details on how to apply this update, refer to:
    
    https://access.redhat.com/articles/2974891
    
    5. Bugs fixed (https://bugzilla.redhat.com/):
    
    1664205 - CVE-2019-6778 QEMU: slirp: heap buffer overflow in tcp_emu()
    1693101 - CVE-2018-20815 QEMU: device_tree: heap buffer overflow while loading device tree blob
    
    6. Package List:
    
    Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts:
    
    Source:
    qemu-kvm-rhev-2.12.0-18.el7_6.7.src.rpm
    
    ppc64le:
    qemu-img-rhev-2.12.0-18.el7_6.7.ppc64le.rpm
    qemu-kvm-common-rhev-2.12.0-18.el7_6.7.ppc64le.rpm
    qemu-kvm-rhev-2.12.0-18.el7_6.7.ppc64le.rpm
    qemu-kvm-rhev-debuginfo-2.12.0-18.el7_6.7.ppc64le.rpm
    qemu-kvm-tools-rhev-2.12.0-18.el7_6.7.ppc64le.rpm
    
    x86_64:
    qemu-img-rhev-2.12.0-18.el7_6.7.x86_64.rpm
    qemu-kvm-common-rhev-2.12.0-18.el7_6.7.x86_64.rpm
    qemu-kvm-rhev-2.12.0-18.el7_6.7.x86_64.rpm
    qemu-kvm-rhev-debuginfo-2.12.0-18.el7_6.7.x86_64.rpm
    qemu-kvm-tools-rhev-2.12.0-18.el7_6.7.x86_64.rpm
    
    RHV-M 4.2:
    
    Source:
    qemu-kvm-rhev-2.12.0-18.el7_6.7.src.rpm
    
    x86_64:
    qemu-img-rhev-2.12.0-18.el7_6.7.x86_64.rpm
    qemu-kvm-common-rhev-2.12.0-18.el7_6.7.x86_64.rpm
    qemu-kvm-rhev-2.12.0-18.el7_6.7.x86_64.rpm
    qemu-kvm-rhev-debuginfo-2.12.0-18.el7_6.7.x86_64.rpm
    qemu-kvm-tools-rhev-2.12.0-18.el7_6.7.x86_64.rpm
    
    RHV-M 4.3:
    
    Source:
    qemu-kvm-rhev-2.12.0-18.el7_6.7.src.rpm
    
    x86_64:
    qemu-img-rhev-2.12.0-18.el7_6.7.x86_64.rpm
    qemu-kvm-common-rhev-2.12.0-18.el7_6.7.x86_64.rpm
    qemu-kvm-rhev-2.12.0-18.el7_6.7.x86_64.rpm
    qemu-kvm-rhev-debuginfo-2.12.0-18.el7_6.7.x86_64.rpm
    qemu-kvm-tools-rhev-2.12.0-18.el7_6.7.x86_64.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/
    
    7. References:
    
    https://access.redhat.com/security/cve/CVE-2018-20815
    https://access.redhat.com/security/cve/CVE-2019-6778
    https://access.redhat.com/security/updates/classification/#important
    
    8. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2019 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXUAeh9zjgjWX9erEAQhyAA//UY3bryIQFqe5E8XXywx87FsYfxWve9Fy
    c5nlOsuhO2WvOlA7z1G+jnJ0myOoThU9i08lY0U1XQO79RlKRFkq3x+34WBFCScv
    wax98TSqPK4fIv4V52tIz26b9vUHZwFgZfzzOSRLxw4eCNv7/c7ij7BzZxecQT03
    /fzDRSHeqH1khP2j4A6dHtFBxGbQAmG4/3EbEtT7jDlFDdpQu/Yb58tLoFaLMK8s
    FS4yOTQBomR0XdgA0mCX/cnGr+ReuViCTgdoPg5V4HriVb8ibjCoXCWUuGLLCszC
    huX0+Hw2E89f3ugauWB3ik4CMnzU7Pi1qwCgS4juuVOmR23qrM4xHLcbXf65Gs7R
    cQUIihsHl8aN3Dkvl//ECCnfSyOPeZHsMQOu3HdUXxYbk+GXE+hpmNsNZsFvZ/04
    gWBl2Tgey6einCGkfKLLu3nS5DiuxcGNHvjSHwbAvXklws2TwQiZO8RsqTXIaZVl
    ikJYpqKGbfAwCEsnJB/TZ2GaL+CgjpeBnce048+L/MPYfdmffU853o9K6HaqqSDW
    7nKaHXWFDW8Uho5EZxHgWBuETY/7Tu4GBg49kKx/Y3ylqMXVsk1N2p6Ua6g79ND5
    y3HRFnR5T/9YSDJM+oFDp2WuCswuoJ2dzIzyxhHUOAbhQDnTGUSzeAqrPVP9T/dF
    T1n9bPHN+30=
    =PoAk
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    LinuxSecurity Poll

    How do you feel about the elimination of the terms 'blacklist' and 'slave' from the Linux kernel?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/32-how-do-you-feel-about-the-elimination-of-the-terms-blacklist-and-slave-from-the-linux-kernel?task=poll.vote&format=json
    32
    radio
    [{"id":"112","title":"I strongly support this change - racially charged language should not be used in the code and documentation of the kernel and other open-source projects.","votes":"3","type":"x","order":"1","pct":42.86,"resources":[]},{"id":"113","title":"I'm indifferent - this small change will not affect broader issues of racial insensitivity and white privilege.","votes":"2","type":"x","order":"2","pct":28.57,"resources":[]},{"id":"114","title":"I'm opposed to this change - there is no need to change language that has been used for years. It doesn't make sense for people to take offense to terminology used in community projects.","votes":"2","type":"x","order":"3","pct":28.57,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.