Linux Security
    Linux Security
    Linux Security

    RedHat: RHSA-2020-5179:01 Low: Red Hat Virtualization security, bug fix,

    Date 24 Nov 2020
    1944
    Posted By LinuxSecurity Advisories
    An update is now available for Red Hat Virtualization Engine 4.4. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Low: Red Hat Virtualization security, bug fix, and enhancement update
    Advisory ID:       RHSA-2020:5179-01
    Product:           Red Hat Virtualization
    Advisory URL:      https://access.redhat.com/errata/RHSA-2020:5179
    Issue date:        2020-11-24
    CVE Names:         CVE-2019-20920 CVE-2019-20922 CVE-2020-8203 
    =====================================================================
    
    1. Summary:
    
    An update is now available for Red Hat Virtualization Engine 4.4.
    
    Red Hat Product Security has rated this update as having a security impact
    of Low. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Relevant releases/architectures:
    
    RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
    
    3. Description:
    
    The org.ovirt.engine-root is a core component of oVirt.
    
    The following packages have been upgraded to a later upstream version:
    engine-db-query (1.6.2), org.ovirt.engine-root (4.4.3.8), ovirt-engine-dwh
    (4.4.3.1), ovirt-engine-extension-aaa-ldap (1.4.2),
    ovirt-engine-extension-logger-log4j (1.1.1), ovirt-engine-metrics
    (1.4.2.1), ovirt-engine-ui-extensions (1.2.4), ovirt-log-collector (4.4.4),
    ovirt-web-ui (1.6.5), rhv-log-collector-analyzer (1.0.5), rhvm-branding-rhv
    (4.4.6). (BZ#1866981, BZ#1879377)
    
    Security Fix(es):
    
    * nodejs-handlebars: lookup helper fails to properly validate templates
    allowing for arbitrary JavaScript execution (CVE-2019-20920)
    
    * nodejs-handlebars: an endless loop while processing specially-crafted
    templates leads to DoS (CVE-2019-20922)
    
    * nodejs-lodash: prototype pollution in zipObjectDeep function
    (CVE-2020-8203)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    Bug Fix(es):
    
    * send --nowait to libvirt when we collect qemu stats, to consume
    bz#1552092 (BZ#1613514)
    
    * Block moving HE hosts into different Data Centers and make HE host moved
    to different cluster NonOperational after activation (BZ#1702016)
    
    * If an in-use MAC is held by a VM on a different cluster, the engine does
    not attempt to get the next free MAC. (BZ#1760170)
    
    * Search backend cannot find VMs which name starts with a search keyword
    (BZ#1797717)
    
    * [Permissions] DataCenterAdmin role defined on DC level does not allow
    Cluster creation (BZ#1808320)
    
    * enable-usb-autoshare is always 0 in console.vv and usb-filter option is
    listed two times (BZ#1811466)
    
    * NumaPinningHelper is not huge pages aware, denies migration to suitable
    host (BZ#1812316)
    
    * Adding quota to group doesn't propagate to users (BZ#1822372)
    
    * Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35
    Template (BZ#1829691)
    
    * Live Migration Bandwidth unit is different from Engine configuration
    (Mbps) and VDSM (MBps) (BZ#1845397)
    
    * RHV-M shows successful operation if OVA export/import failed during
    "qemu-img convert" phase (BZ#1854888)
    
    * Cannot hotplug disk reports libvirtError: Requested operation is not
    valid: Domain already contains a disk with that address (BZ#1855305)
    
    * rhv-log-collector-analyzer --json fails with TypeError (BZ#1859314)
    
    * RHV 4.4 on AMD EPYC 7742 throws an NUMA related error on VM run
    (BZ#1866862)
    
    * Issue with dashboards creation when sending metrics to external
    Elasticsearch (BZ#1870133)
    
    * HostedEngine VM is broken after Cluster changed to UEFI (BZ#1871694)
    
    * [CNV&RHV]Notification about VM creation contain  string
    (BZ#1873136)
    
    * VM stuck in Migrating status after migration completed due to incorrect
    status reported by VDSM after restart (BZ#1877632)
    
    * Use 4.5 as compatibility level for the Default DataCenter and the Default
    Cluster during installation (BZ#1879280)
    
    * unable to create/add index pattern in step 5 from kcs articles#4921101
    (BZ#1881634)
    
    * [CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs
    (BZ#1883844)
    
    * Deprecate and remove ovirt-engine-api-explorer (BZ#1884146)
    
    * [CNV&RHV] Disable creating new disks for Kubevirt VM (BZ#1884634)
    
    * Require ansible-2.9.14 in ovirt-engine (BZ#1888626)
    
    Enhancement(s):
    
    * [RFE] Virtualization support for NVDIMM - RHV (BZ#1361718)
    
    * [RFE] - enable renaming HostedEngine VM name (BZ#1657294)
    
    * [RFE] Enabling Icelake new NIs - RHV (BZ#1745024)
    
    * [RFE] Show vCPUs and allocated memory in virtual machines summary
    (BZ#1752751)
    
    * [RFE] RHV-M Deployment/Install Needs it's own UUID (BZ#1825020)
    
    * [RFE] Destination Host in migrate VM dialog has to be searchable and
    sortable (BZ#1851865)
    
    * [RFE] Expose the "reinstallation required" flag of the hosts in the API
    (BZ#1856671)
    
    4. Solution:
    
    For details on how to apply this update, which includes the changes
    described in this advisory, refer to:
    
    https://access.redhat.com/articles/2974891
    
    5. Bugs fixed (https://bugzilla.redhat.com/):
    
    1613514 - send --nowait to libvirt when we collect qemu stats, to consume bz#1552092
    1657294 - [RFE] - enable renaming HostedEngine VM name
    1691253 - ovirt-engine-extension-aaa-ldap-setup does not escape special characters in password
    1702016 - Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation
    1752751 - [RFE] Show vCPUs and allocated memory in virtual machines summary
    1760170 - If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC.
    1797717 - Search backend cannot find VMs which name starts with a search keyword
    1808320 - [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation
    1811466 - enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times
    1812316 - NumaPinningHelper is not huge pages aware, denies migration to suitable host
    1822372 - Adding quota to group doesn't propagate to users
    1825020 - [RFE] RHV-M Deployment/Install Needs it's own UUID
    1828241 - Deleting snapshot do not display a lock for it's disks under "Disk Snapshots" tab.
    1829691 - Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template
    1842344 - Status loop due to host initialization not checking network status, monitoring finding the network issue and auto-recovery.
    1845432 - [CNV&RHV] Communicatoin with CNV cluster spamming engine.log when token is expired
    1851865 - [RFE] Destination Host in migrate VM dialog has to be searchable and sortable
    1854888 - RHV-M shows successful operation if OVA export/import failed during "qemu-img convert" phase
    1855305 - Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address
    1856671 - [RFE] Expose the "reinstallation required" flag of the hosts in the API
    1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
    1859314 - rhv-log-collector-analyzer --json fails with TypeError
    1862101 - rhv-image-discrepancies does show size of the images on the storage as size of the image in db and vice versa
    1866981 - obj must be encoded before hashing
    1870133 - Issue with dashboards creation when sending metrics to external Elasticsearch
    1871694 - HostedEngine VM is broken after Cluster changed to UEFI
    1872911 - RHV Administration Portal fails with 404 error even after updating to RHV 4.3.9
    1873136 - [CNV&RHV]Notification about VM creation contain  string
    1876923 - PostgreSQL 12 in RHV 4.4 - engine-setup menu ref URL needs updating
    1877632 - VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart
    1877679 - Synchronize advanced virtualization module with RHEL version during host upgrade
    1879199 - ovirt-engine-extension-aaa-ldap-setup fails on cert import
    1879280 - Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation
    1879377 - [DWH] Rebase bug - for the 4.4.3 release
    1881634 - unable to create/add index pattern in step 5 from kcs articles#4921101
    1882256 - CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
    1882260 - CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
    1883844 - [CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs
    1884146 - Deprecate and remove ovirt-engine-api-explorer
    1884634 - [CNV&RHV] Disable creating new disks for Kubevirt VM
    1885976 - rhv-log-collector-analyzer - argument must be str, not bytes
    1887268 - Cannot perform yum update on my RHV manager (ansible conflict)
    1888626 - Require ansible-2.9.14 in ovirt-engine
    1889522 - metrics playbooks are broken due to typo
    
    6. Package List:
    
    RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
    
    Source:
    engine-db-query-1.6.2-1.el8ev.src.rpm
    ovirt-engine-4.4.3.8-0.1.el8ev.src.rpm
    ovirt-engine-dwh-4.4.3.1-1.el8ev.src.rpm
    ovirt-engine-extension-aaa-ldap-1.4.2-1.el8ev.src.rpm
    ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.src.rpm
    ovirt-engine-metrics-1.4.2.1-1.el8ev.src.rpm
    ovirt-engine-ui-extensions-1.2.4-1.el8ev.src.rpm
    ovirt-log-collector-4.4.4-1.el8ev.src.rpm
    ovirt-web-ui-1.6.5-1.el8ev.src.rpm
    rhv-log-collector-analyzer-1.0.5-1.el8ev.src.rpm
    rhvm-branding-rhv-4.4.6-1.el8ev.src.rpm
    
    noarch:
    engine-db-query-1.6.2-1.el8ev.noarch.rpm
    ovirt-engine-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-backend-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-dbscripts-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-dwh-4.4.3.1-1.el8ev.noarch.rpm
    ovirt-engine-dwh-grafana-integration-setup-4.4.3.1-1.el8ev.noarch.rpm
    ovirt-engine-dwh-setup-4.4.3.1-1.el8ev.noarch.rpm
    ovirt-engine-extension-aaa-ldap-1.4.2-1.el8ev.noarch.rpm
    ovirt-engine-extension-aaa-ldap-setup-1.4.2-1.el8ev.noarch.rpm
    ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.noarch.rpm
    ovirt-engine-health-check-bundler-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-metrics-1.4.2.1-1.el8ev.noarch.rpm
    ovirt-engine-restapi-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-setup-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-setup-base-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-setup-plugin-cinderlib-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-setup-plugin-imageio-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-setup-plugin-ovirt-engine-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-setup-plugin-ovirt-engine-common-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-setup-plugin-websocket-proxy-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-tools-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-tools-backup-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-ui-extensions-1.2.4-1.el8ev.noarch.rpm
    ovirt-engine-vmconsole-proxy-helper-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-webadmin-portal-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-engine-websocket-proxy-4.4.3.8-0.1.el8ev.noarch.rpm
    ovirt-log-collector-4.4.4-1.el8ev.noarch.rpm
    ovirt-web-ui-1.6.5-1.el8ev.noarch.rpm
    python3-ovirt-engine-lib-4.4.3.8-0.1.el8ev.noarch.rpm
    rhv-log-collector-analyzer-1.0.5-1.el8ev.noarch.rpm
    rhvm-4.4.3.8-0.1.el8ev.noarch.rpm
    rhvm-branding-rhv-4.4.6-1.el8ev.noarch.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/
    
    7. References:
    
    https://access.redhat.com/security/cve/CVE-2019-20920
    https://access.redhat.com/security/cve/CVE-2019-20922
    https://access.redhat.com/security/cve/CVE-2020-8203
    https://access.redhat.com/security/updates/classification/#low
    
    8. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2020 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBX70HvdzjgjWX9erEAQjCLA//a317mM4YG3b2NthOYrawJOiY8u4jPw5B
    fkOi7cTYkgrN1DeXJdUxfrZztt+QPix3ehqZhxromwCUi4cdh0jvlliMWQbzgGcW
    vIybXzMULIXGd1JbV18SAo+S04b2ggCprbkIZ+HAI3zDIpiZ2/1167kV0x4yFHma
    WYzTz5j9M6ZLBA9h94vnhQPGfcDfaTFuCluAcNdLvm5aDiitriE/wLYEpueHtmKN
    BZVNwfsJ9FI3WEKVf8w/BP134O+Qh7aioXudDWgO3olfUyZ6QAs0BDaerw/kqNP9
    VZdVKTZDkx5y6ccOCpNztsn19S8//LzTXKtwBJpd/oYlfo34+/hm9dq0JOTDcJNd
    xHbYHVMK6/8P0uJ1BtKlq4AX3B3Qw4ffFR0vLfWRLf7zNR2x0DNj5gdS7BWJsNjr
    3qorwKjznM2rcXNfNx8uIDy2S1bIQgMAE8X22IUhDSeRenh2ZRrdgwUPZzvQkDll
    eWTxL/ipWvjFhUBUUsQQGaUSmrKr8Q4pzYSH6jBEhES73yP4Sh8A/uXiwNoLV0PJ
    2S3JPOC/5H159bGgRhZyE0PjS7jnRlO6SCCnuUUhgnlRJd/w9+LVEf8UG0P3B8us
    TV25drHEEprcR48tgfiFKEzNuv7o9PJWUnckM4HXGQLktj1pdoTfBfcB5tLHOIAy
    qoINkVG9ep0=
    =Zkp/
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/49-tis-the-season-of-giving-how-have-you-given-back-to-the-open-source-community?task=poll.vote&format=json
    49
    radio
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"11","type":"x","order":"1","pct":34.38,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"6","type":"x","order":"2","pct":18.75,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"15","type":"x","order":"3","pct":46.88,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.