Linux Security
    Linux Security
    Linux Security

    RedHat: RHSA-2020-4201:01 Low: OpenShift Virtualization 2.4.2 Images

    Date 06 Oct 2020
    224
    Posted By LinuxSecurity Advisories
    Red Hat OpenShift Virtualization release 2.4.2 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Low: OpenShift Virtualization 2.4.2 Images
    Advisory ID:       RHSA-2020:4201-01
    Product:           Container-native Virtualization
    Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4201
    Issue date:        2020-10-06
    CVE Names:         CVE-2019-11756 CVE-2019-17006 CVE-2019-17023 
                       CVE-2020-12402 CVE-2020-12825 CVE-2020-14352 
                       CVE-2020-14365 CVE-2020-15586 CVE-2020-16845 
    =====================================================================
    
    1. Summary:
    
    Red Hat OpenShift Virtualization release 2.4.2 is now available with
    updates to packages and images that fix several bugs and add enhancements.
    
    Red Hat Product Security has rated this update as having a security impact
    of Low. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Description:
    
    OpenShift Virtualization is Red Hat's virtualization solution designed for
    Red Hat OpenShift Container Platform.
    
    Security Fix(es):
    
    * golang: data race in certain net/http servers including ReverseProxy can
    lead to DoS (CVE-2020-15586)
    
    * golang: ReadUvarint and ReadVarint can read an unlimited number of bytes
    from invalid inputs (CVE-2020-16845)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    Bug Fix(es):
    
    * Container-native Virtualization 2.4.2 Images (BZ#1877407)
    
    This advisory contains the following OpenShift Virtualization 2.4.2 images:
    
    RHEL-7-CNV-2.4
    ==============
    kubevirt-ssp-operator-container-v2.4.2-2
    
    RHEL-8-CNV-2.4
    ==============
    virt-cdi-controller-container-v2.4.2-1
    virt-cdi-apiserver-container-v2.4.2-1
    hostpath-provisioner-operator-container-v2.4.2-1
    virt-cdi-uploadproxy-container-v2.4.2-1
    virt-cdi-cloner-container-v2.4.2-1
    virt-cdi-importer-container-v2.4.2-1
    kubevirt-template-validator-container-v2.4.2-1
    hostpath-provisioner-container-v2.4.2-1
    virt-cdi-uploadserver-container-v2.4.2-1
    virt-cdi-operator-container-v2.4.2-1
    virt-controller-container-v2.4.2-1
    kubevirt-cpu-model-nfd-plugin-container-v2.4.2-1
    virt-api-container-v2.4.2-1
    ovs-cni-marker-container-v2.4.2-1
    kubevirt-cpu-node-labeller-container-v2.4.2-1
    bridge-marker-container-v2.4.2-1
    kubevirt-metrics-collector-container-v2.4.2-1
    kubemacpool-container-v2.4.2-1
    cluster-network-addons-operator-container-v2.4.2-1
    ovs-cni-plugin-container-v2.4.2-1
    kubernetes-nmstate-handler-container-v2.4.2-1
    cnv-containernetworking-plugins-container-v2.4.2-1
    virtio-win-container-v2.4.2-1
    virt-handler-container-v2.4.2-1
    virt-launcher-container-v2.4.2-1
    cnv-must-gather-container-v2.4.2-1
    virt-operator-container-v2.4.2-1
    vm-import-controller-container-v2.4.2-1
    hyperconverged-cluster-operator-container-v2.4.2-1
    vm-import-operator-container-v2.4.2-1
    kubevirt-vmware-container-v2.4.2-1
    kubevirt-v2v-conversion-container-v2.4.2-1
    kubevirt-kvm-info-nfd-plugin-container-v2.4.2-1
    node-maintenance-operator-container-v2.4.2-1
    hco-bundle-registry-container-v2.4.2-15
    
    3. Solution:
    
    For details on how to apply this update, which includes the changes
    described in this advisory, refer to:
    
    https://access.redhat.com/articles/11258
    
    4. Bugs fixed (https://bugzilla.redhat.com/):
    
    1856953 - CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
    1867099 - CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
    1869194 - HCO CR display name should contain "OpenShift Virtualization" instead of CNV
    1869734 - OpenShift Virtualization does not appear in OperatorHub when filtering to "Disconnected"
    1875383 - terminationGracePeriodSeconds should be updated in VMs created from common templates
    1877407 - Container-native Virtualization 2.4.2 Images
    
    5. References:
    
    https://access.redhat.com/security/cve/CVE-2019-11756
    https://access.redhat.com/security/cve/CVE-2019-17006
    https://access.redhat.com/security/cve/CVE-2019-17023
    https://access.redhat.com/security/cve/CVE-2020-12402
    https://access.redhat.com/security/cve/CVE-2020-12825
    https://access.redhat.com/security/cve/CVE-2020-14352
    https://access.redhat.com/security/cve/CVE-2020-14365
    https://access.redhat.com/security/cve/CVE-2020-15586
    https://access.redhat.com/security/cve/CVE-2020-16845
    https://access.redhat.com/security/updates/classification/#low
    
    6. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2020 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBX30EmtzjgjWX9erEAQgnhg/+Kw8PF1VdWqLhdnth6BBrjcI0qoGVd671
    KqomXg22a9lJ+oFUqV8AV7FssyqRe5XDufdREbO7Q5QFJnLZh9sbvpJvmINA4/En
    FX3caimjz5YQsTVJfDme/aHv8dfyqkjhd5hVRVHDjdZ/xagXqTB7qkA7H9IaHsMd
    dLc4QHFIRCw3i+AUo6OLhnxIwkkDToTM6saoSscK5ePnze8t+dA2E2yk7n2NcB6n
    djRONbWQ9am8/plK8QfeNHxpq6Yv9dXQMc8OqRPDN5Tytz4JSfW3isqhWSSzj7dd
    D0nT6kpeeOD7a9tXkI1/J4e9UHY22oKaCBtgtzruba86yI5Imuq10tsn4Cmvn0hj
    Frj7CwIy88vEq0WXUWY0P99a//pCJE5YozzJZWnqdEUb7xxyGWBtVzEGAcdIOT3o
    BN5g5AYMjDXpShDDw24U2DCbCt0f9snZDqIXurL5PkcQyGq0CPjHjglhy5JrKes+
    VY3LJa/bkT38RRXk/TzKrlPjxoJNXjhGqU8YdrTe4DGTTiCfE+CGQ5f5RObFt1Pp
    UtbGikSRlso8P3Fu93unPgnqd1S8p3nVoYtAcUrMa+2CzjxpIN2OV/zmfl49tytf
    q2sG6oiDTYtEMpGKiy5UQRLD9njJxNBHH+HD85SeSNfBwbnJeebfw9nLd7HJj3Ld
    yrKxjSoHgxw=
    =LVFp
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    Advisories

    LinuxSecurity Poll

    How long have you been using Linux?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /main-polls/46-how-long-have-you-been-using-linux?task=poll.vote&format=json
    46
    radio
    [{"id":"160","title":"Just made the switch!","votes":"1","type":"x","order":"1","pct":50,"resources":[]},{"id":"161","title":"1-5 years","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"162","title":"6-10 years","votes":"0","type":"x","order":"3","pct":0,"resources":[]},{"id":"163","title":">10 years - I'm a veteran!","votes":"1","type":"x","order":"4","pct":50,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.