-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Virtualization 2.5.3 security and bug fix update
Advisory ID:       RHSA-2021:0187-01
Product:           Container-native Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0187
Issue date:        2021-01-19
Keywords:          cnv,kubevirt,virtualization
CVE Names:         CVE-2020-1971 CVE-2020-8177 CVE-2020-12321 
                   CVE-2020-16166 CVE-2020-27813 
====================================================================
1. Summary:

Red Hat OpenShift Virtualization release 2.5.3 is now available with
updates to packages and images that fix several bugs and security issues.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization 2.5.3 images:

RHEL-7-CNV-2.5
=============kubevirt-ssp-operator-container-v2.5.3-2

RHEL-8-CNV-2.5
=============virtio-win-container-v2.5.3-4
hostpath-provisioner-container-v2.5.3-3
kubevirt-kvm-info-nfd-plugin-container-v2.5.3-2
kubevirt-template-validator-container-v2.5.3-4
kubevirt-cpu-model-nfd-plugin-container-v2.5.3-1
kubevirt-metrics-collector-container-v2.5.3-3
cnv-containernetworking-plugins-container-v2.5.3-2
kubemacpool-container-v2.5.3-2
hostpath-provisioner-operator-container-v2.5.3-3
kubevirt-cpu-node-labeller-container-v2.5.3-3
node-maintenance-operator-container-v2.5.3-2
ovs-cni-marker-container-v2.5.3-2
kubernetes-nmstate-handler-container-v2.5.3-2
cluster-network-addons-operator-container-v2.5.3-3
ovs-cni-plugin-container-v2.5.3-2
bridge-marker-container-v2.5.3-2
kubevirt-v2v-conversion-container-v2.5.3-2
hyperconverged-cluster-operator-container-v2.5.3-3
kubevirt-vmware-container-v2.5.3-2
cnv-must-gather-container-v2.5.3-2
virt-api-container-v2.5.3-2
virt-handler-container-v2.5.3-2
virt-controller-container-v2.5.3-2
virt-launcher-container-v2.5.3-2
virt-operator-container-v2.5.3-2
virt-cdi-cloner-container-v2.5.3-4
virt-cdi-importer-container-v2.5.3-4
virt-cdi-controller-container-v2.5.3-4
virt-cdi-apiserver-container-v2.5.3-4
virt-cdi-operator-container-v2.5.3-4
virt-cdi-uploadserver-container-v2.5.3-4
virt-cdi-uploadproxy-container-v2.5.3-4
vm-import-operator-container-v2.5.3-4
vm-import-controller-container-v2.5.3-4
vm-import-virtv2v-container-v2.5.3-4
hco-bundle-registry-container-v2.5.3-80

Security Fix(es):

* golang-github-gorilla-websocket: integer overflow leads to denial of
service (CVE-2020-27813)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Container-native Virtualization 2.5.3 Images (BZ#1902961)

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service
1902961 - Container-native Virtualization 2.5.3 Images

5. References:

https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/cve/CVE-2020-8177
https://access.redhat.com/security/cve/CVE-2020-12321
https://access.redhat.com/security/cve/CVE-2020-16166
https://access.redhat.com/security/cve/CVE-2020-27813
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYAbectzjgjWX9erEAQhpkA//ahafTxC/QVF8rcNQHlETxPJ19H/J1Oq0
h3YFUHesX/HXsKSzPWJnQTYXHy+XvlRJsRW7UJXyI4sCCL3+KTS6byuJDw4IdhXM
6XWi6GvTFGkyXBF+2FyIiaDRU+xYA9+RtvEzsxeZJhDuqxFT5BTnh/kYeXFMt7db
IF/LrKGH4trUFADOmtR/mDoRIiKSszSHZvogmi77aILt80N1y36PgPIW1fhp4Vch
a9G25PUwpo0GbV2MU1vUANLxY/Xl8pDwkxdiH1C3OL1xN9jXjpYPpDYGusp4cnJW
Ltu0tbscqQ0DLuXuY2mijVoFw87n6z33nwvFQ1y/50IS0VxJ9xxOGwLU9MGuJJSU
czEDF9B1A/YHuVvYZzA63yXPRm0gzPs4MsLNw+CVE7vT8k+DYk1+EYlrf6MeQXku
9sFT369P8BYewrby5ALz7f2Iad7XvM8ghw80ipkSOBMyfKVWICPBi3hK5arbJ4tv
/Mxq0we6yOXniAm1JJGHmoSXGs6GrWcKHuRx7OhS9cQcoya3xsoV/GK6/qVaq/x6
sNEbQifbrmsHyQl4f2GNmeSJSVObjRdlTzh1CYUX0u7/fi3iGCJ0coaWEYWFVVnY
xPAse2XYP3DwfWbfbYn+kTSo+FUlgr2DMX9UCl06Z0nO45cMAMhglEMRursbK4qM
5nTdjA8IcLg=ZWkh
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-0187:01 Moderate: OpenShift Virtualization 2.5.3 security

Red Hat OpenShift Virtualization release 2.5.3 is now available with updates to packages and images that fix several bugs and security issues

Summary

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.
This advisory contains the following OpenShift Virtualization 2.5.3 images:
RHEL-7-CNV-2.5 =============kubevirt-ssp-operator-container-v2.5.3-2
RHEL-8-CNV-2.5 =============virtio-win-container-v2.5.3-4 hostpath-provisioner-container-v2.5.3-3 kubevirt-kvm-info-nfd-plugin-container-v2.5.3-2 kubevirt-template-validator-container-v2.5.3-4 kubevirt-cpu-model-nfd-plugin-container-v2.5.3-1 kubevirt-metrics-collector-container-v2.5.3-3 cnv-containernetworking-plugins-container-v2.5.3-2 kubemacpool-container-v2.5.3-2 hostpath-provisioner-operator-container-v2.5.3-3 kubevirt-cpu-node-labeller-container-v2.5.3-3 node-maintenance-operator-container-v2.5.3-2 ovs-cni-marker-container-v2.5.3-2 kubernetes-nmstate-handler-container-v2.5.3-2 cluster-network-addons-operator-container-v2.5.3-3 ovs-cni-plugin-container-v2.5.3-2 bridge-marker-container-v2.5.3-2 kubevirt-v2v-conversion-container-v2.5.3-2 hyperconverged-cluster-operator-container-v2.5.3-3 kubevirt-vmware-container-v2.5.3-2 cnv-must-gather-container-v2.5.3-2 virt-api-container-v2.5.3-2 virt-handler-container-v2.5.3-2 virt-controller-container-v2.5.3-2 virt-launcher-container-v2.5.3-2 virt-operator-container-v2.5.3-2 virt-cdi-cloner-container-v2.5.3-4 virt-cdi-importer-container-v2.5.3-4 virt-cdi-controller-container-v2.5.3-4 virt-cdi-apiserver-container-v2.5.3-4 virt-cdi-operator-container-v2.5.3-4 virt-cdi-uploadserver-container-v2.5.3-4 virt-cdi-uploadproxy-container-v2.5.3-4 vm-import-operator-container-v2.5.3-4 vm-import-controller-container-v2.5.3-4 vm-import-virtv2v-container-v2.5.3-4 hco-bundle-registry-container-v2.5.3-80
Security Fix(es):
* golang-github-gorilla-websocket: integer overflow leads to denial of service (CVE-2020-27813)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Container-native Virtualization 2.5.3 Images (BZ#1902961)



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2020-1971 https://access.redhat.com/security/cve/CVE-2020-8177 https://access.redhat.com/security/cve/CVE-2020-12321 https://access.redhat.com/security/cve/CVE-2020-16166 https://access.redhat.com/security/cve/CVE-2020-27813 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
Advisory ID: RHSA-2021:0187-01
Product: Container-native Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0187
Issued Date: : 2021-01-19
Keywords: cnv,kubevirt,virtualization
CVE Names: CVE-2020-1971 CVE-2020-8177 CVE-2020-12321 CVE-2020-16166 CVE-2020-27813

Topic

Red Hat OpenShift Virtualization release 2.5.3 is now available withupdates to packages and images that fix several bugs and security issues.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service

1902961 - Container-native Virtualization 2.5.3 Images


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved