RedHat: RHSA-2020-1308:01 Low: Red Hat Virtualization Engine security,

    Date 02 Apr 2020
    367
    Posted By LinuxSecurity Advisories
    An update is now available for Red Hat Virtualization Engine 4.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Low: Red Hat Virtualization Engine security, bug fix 4.3.9
    Advisory ID:       RHSA-2020:1308-01
    Product:           Red Hat Virtualization
    Advisory URL:      https://access.redhat.com/errata/RHSA-2020:1308
    Issue date:        2020-04-02
    Cross references:  CVE-2019-17195 CVE-2019-10086
    CVE Names:         CVE-2019-10086 CVE-2019-17195 
    =====================================================================
    
    1. Summary:
    
    An update is now available for Red Hat Virtualization Engine 4.3.
    
    Red Hat Product Security has rated this update as having a security impact
    of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Relevant releases/architectures:
    
    RHV-M 4.3 - noarch
    Tools for RHV Engine - noarch
    
    3. Description:
    
    The org.ovirt.engine-root is a core component of oVirt.
    
    The following packages have been upgraded to a later upstream version:
    org.ovirt.engine-root (4.3.8.2), ovirt-engine-dwh (4.3.8),
    ovirt-engine-metrics (1.3.6.1), ovirt-fast-forward-upgrade (1.0.0),
    ovirt-imageio-common (1.5.3), ovirt-imageio-proxy (1.5.3), ovirt-web-ui
    (1.6.0), rhv-log-collector-analyzer (0.2.15), v2v-conversion-host (1.16.0).
    (BZ#1767333, BZ#1776722, BZ#1779587, BZ#1779631)
    
    Security Fix(es):
    
    * CVE-2019-17195
    * CVE-2019-10086
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    Bug Fix(es):
    
    * [downstream clone - 4.4.0] Upgrade from 4.3 to 4.4 will fail if there are
    versioned templates in database (BZ#1688781)
    
    * [ovirt-fast-forward-upgrade] Error:
    ovirt-engine-setup-plugin-ovirt-engine conflicts with
    ovirt-engine-4.2.5.2-0.1.el7ev.noarch (BZ#1754979)
    
    * Users immediately logged out from User portal due to negative
    UserSessionTimeOutInterval (BZ#1757423)
    
    * Fluentd error when stopping metrics services through playbook on 4.3
    (BZ#1772506)
    
    * [downstream clone - 4.3.8] From  VM Portal, users cannot create Operating
    System Windows VM. (BZ#1773580)
    
    * MERGE_STATUS fails with 'Invalid UUID string: mapper' when Direct LUN
    that already exists is hot-plugged [RHV clone - 4.3.8] (BZ#1779664)
    
    * Metric Store reports all hosts in Default cluster regardless of cluster
    assignment. (BZ#1780234)
    
    Enhancement(s):
    
    * RFE for offline installation  of RHV Metrics Store (BZ#1711873)
    
    * [RFE] Compare storage with database for discrepancies (BZ#1739106)
    
    * [RFE] RHV+Metrics Store - Support a Flat DNS environment without
    subdomains (BZ#1782412)
    
    4. Solution:
    
    For details on how to apply this update, which includes the changes
    described in this advisory, refer to:
    
    https://access.redhat.com/articles/2974891
    
    5. Bugs fixed (https://bugzilla.redhat.com/):
    
    1752522 - ovirt-fast-forward-upgrade: Upgrade from 4.2 to 4.3 fails with UnicodeEncodeError
    1764791 - CVE-2019-17195 nimbus-jose-jwt: Uncaught exceptions while parsing a JWT
    1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
    1789737 - Import of OVA created from template fails with java.lang.NullPointerException [RHV clone - 4.3.9]
    1792874 - Hide partial engine-cleanup option [RHV clone - 4.3.9]
    1797496 - Add RHCOS os to osinfo - for compatability API between 4.3 to 4.4
    1801310 - Module ovirt disk parameter storage domain has default option in documentation
    1808038 - Unable to change Graphical Console of HE VM. [RHV clone - 4.3.9]
    1808607 - RHVM 4.3.8.2 has Security Vulnerability Tenable Plugin ID 133165 in apache-commons-beanutils-1.8.3-14.el7
    1809470 - [HE] ovirt-provider-ovn is non-functional on 4.3.9 Hosted-Engine [RHV clone - 4.3.9]
    1810527 - Upgrade rhvm-dependencies to 4.3.2
    
    6. Package List:
    
    Tools for RHV Engine:
    
    Source:
    apache-commons-beanutils-1.8.3-15.el7_7.src.rpm
    
    noarch:
    apache-commons-beanutils-1.8.3-15.el7_7.noarch.rpm
    apache-commons-beanutils-javadoc-1.8.3-15.el7_7.noarch.rpm
    
    RHV-M 4.3:
    
    Source:
    ovirt-engine-4.3.9.3-0.1.el7.src.rpm
    ovirt-engine-extension-aaa-misc-1.0.4-1.el7ev.src.rpm
    ovirt-fast-forward-upgrade-1.0.0-17.el7ev.src.rpm
    rhvm-dependencies-4.3.2-1.el7ev.src.rpm
    
    noarch:
    ovirt-engine-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-backend-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-dbscripts-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-extension-aaa-misc-1.0.4-1.el7ev.noarch.rpm
    ovirt-engine-extensions-api-impl-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-extensions-api-impl-javadoc-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-health-check-bundler-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-restapi-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-setup-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-setup-base-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-setup-plugin-cinderlib-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-setup-plugin-ovirt-engine-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-setup-plugin-ovirt-engine-common-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-setup-plugin-websocket-proxy-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-tools-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-tools-backup-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-vmconsole-proxy-helper-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-webadmin-portal-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-engine-websocket-proxy-4.3.9.3-0.1.el7.noarch.rpm
    ovirt-fast-forward-upgrade-1.0.0-17.el7ev.noarch.rpm
    python2-ovirt-engine-lib-4.3.9.3-0.1.el7.noarch.rpm
    rhvm-4.3.9.3-0.1.el7.noarch.rpm
    rhvm-dependencies-4.3.2-1.el7ev.noarch.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/
    
    7. References:
    
    https://access.redhat.com/security/cve/CVE-2019-10086
    https://access.redhat.com/security/cve/CVE-2019-17195
    https://access.redhat.com/security/updates/classification/#low
    
    8. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2020 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXoYTw9zjgjWX9erEAQjMdQ//RvBsmy6si2mknSOzsxh9Gw0rCqZp+lHA
    FlmyT8V5YSvYqHbI4Z7Ajh9Fmo3OjlSdnfRAgP2X0bf3FP3K4tfDKcO4ee7f6inR
    oE5GWkTJRFNmwjP0zMM/24LH+U6QsBPoVStP1FZZQRTML9V03K+p4geR9roZV/LC
    tVWERfTAyw0iuq7wgxqda+nqGiOVpY344Z9lnNfRS4AsY2+VAxZHDGuONUpYKZ8Q
    E8AdDstLEDdpyei6Abay9Ex+MryvcPAe8x+uqYt4ix62x9gmT8R20+LK1XnNLm7d
    GtOfmCouqBqp3dZLET9YDgBfg/cIFJbiRjldHAeLhIkNDniGxfCVFZHJSgf4ovBU
    ZwfVqea3KtPNqMXgM4IUwd1f/4fz0Raqy/wo9EfDY+gRvI2oKFmljw5myY5IT/ax
    tTfX35rxnotAWhjAAMtbST/ezJ29G2sW28fubFsI+oNgXpeOb+cE00oiTio5crL7
    EVr8QMAUIS4cMFkqWGBzRcuz0OHEQ+17qkrYXlZROsnc42B6gAewWQk7XmJfvs86
    tvc5CjApHor4iOsoCHrAVe3R8+Tj8FZPFn0vO5M3TbpYD/+Ui4dEvRxMLXHx+ZoM
    xK3q0Pp49TW6sPat+0d7rLwJ5+P7iklZz8HzyfZVMDwHQbpkFCoyd6cTn3rLng5W
    e3vTJcTSTSI=
    =bGUs
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    LinuxSecurity Poll

    Do you agree with Linus Torvalds' decision to reject the controversial patch mitigating the Snoop attack on Intel CPUs?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/28-do-you-agree-with-linus-torvalds-decision-to-reject-the-controversial-patch-mitigating-the-snoop-attack-on-intel-cpus?task=poll.vote&format=json
    28
    radio
    [{"id":"100","title":"Yes - this was undoubtedly the right decision.","votes":"1","type":"x","order":"1","pct":33.33,"resources":[]},{"id":"101","title":"Not sure...","votes":"2","type":"x","order":"2","pct":66.67,"resources":[]},{"id":"102","title":"No - he made a big mistake here.","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.