RedHat: RHSA-2021-1924:01 Low: spice security update | LinuxSecurit...

Advisories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: spice security update
Advisory ID:       RHSA-2021:1924-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:1924
Issue date:        2021-05-18
CVE Names:         CVE-2021-20201 
=====================================================================

1. Summary:

An update for spice is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, x86_64
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, x86_64

3. Description:

The Simple Protocol for Independent Computing Environments (SPICE) is a
remote display system built for virtual environments which allows the user
to view a computing 'desktop' environment not only on the machine where it
is running, but from anywhere on the Internet and from a wide variety of
machine architectures.

Security Fix(es):

* spice: Client initiated renegotiation denial of service (CVE-2021-20201)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.4 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All applications using SPICE (most notably all QEMU-KVM instances using the
SPICE console) must be restarted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1904459 - CVE-2021-20201 spice: OpenSSL(TLS/SSL) Security DoS Vulnerability - enables client-initiated renegotiation [rhel-8]
1921846 - CVE-2021-20201 spice: Client initiated renegotiation denial of service

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
spice-0.14.3-4.el8.src.rpm

aarch64:
spice-debugsource-0.14.3-4.el8.aarch64.rpm
spice-server-0.14.3-4.el8.aarch64.rpm
spice-server-debuginfo-0.14.3-4.el8.aarch64.rpm

x86_64:
spice-debugsource-0.14.3-4.el8.i686.rpm
spice-debugsource-0.14.3-4.el8.x86_64.rpm
spice-server-0.14.3-4.el8.i686.rpm
spice-server-0.14.3-4.el8.x86_64.rpm
spice-server-debuginfo-0.14.3-4.el8.i686.rpm
spice-server-debuginfo-0.14.3-4.el8.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:
spice-debugsource-0.14.3-4.el8.aarch64.rpm
spice-server-debuginfo-0.14.3-4.el8.aarch64.rpm
spice-server-devel-0.14.3-4.el8.aarch64.rpm

x86_64:
spice-debugsource-0.14.3-4.el8.i686.rpm
spice-debugsource-0.14.3-4.el8.x86_64.rpm
spice-server-debuginfo-0.14.3-4.el8.i686.rpm
spice-server-debuginfo-0.14.3-4.el8.x86_64.rpm
spice-server-devel-0.14.3-4.el8.i686.rpm
spice-server-devel-0.14.3-4.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-20201
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.4_release_notes/

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYKPx3NzjgjWX9erEAQjYvA//bld93FtB1ykwtluP6/BxsvwxV1BmleZm
istENZ0E2Lb8vOf5ud8mW0TROSeh9RZ1KuwIGAhzzSQyLivKLU1WI16tGEDGb2PO
abx49BNyjFh8jHbwvvLK9Zdi7l4evw6WUk8QBsN74hZwkKd713emSPyRgo1Mo06w
pq41yay+Xxp4fqGsjsbeLm3X+0vFEg5mu9fHTgUl6WET7oR/gWanhMyDgYw6cot8
r/Kt/fUVl+xoi38vxFR5DNEs9YuQg4QtZbdVpiPjEISLW32JnFsfCt50Xx9YZbJw
2gAUA1oQCmvaORyP9ibwdhWtNiNzIzm4I9sOyaGRIqg6C6RQ2FnN7FpQzEAtFIdU
eLp3KKm2iaWbSuqMrCv6kl9PqGdyC/CFwPbvjv48j47fFuWtx8zmbUsio7lw0UcQ
U0JmhzyeOunPcX0ep9y5mo0805sXhi9LXxMskOzXa3kVNlEDoxz/TbrrsDdh6FZw
dYyPfCXVgYQ/7ocCwZnLxSA3VMiYIdrl6rH1V4/X5rRDgHzM3m3R0ZFGjHoUOTYw
X+PHzlejexTaVFOqehbg0WTM8ewS8mc8jhbetR2qvf0iVcZKAhEQTeqkdSBNUMn2
xwdLQs0aVlLVyUuyHGDTt7OnADWjLxXCCcjBY1DvAgvMmieA4tzFaPvoIwIeqWwh
8cVduqBcB/o=
=fg20
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-1924:01 Low: spice security update

An update for spice is now available for Red Hat Enterprise Linux 8

Summary

The Simple Protocol for Independent Computing Environments (SPICE) is a remote display system built for virtual environments which allows the user to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures.
Security Fix(es):
* spice: Client initiated renegotiation denial of service (CVE-2021-20201)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.4 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://access.redhat.com/articles/11258All applications using SPICE (most notably all QEMU-KVM instances using theSPICE console) must be restarted for this update to take effect.

References

https://access.redhat.com/security/cve/CVE-2021-20201 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.4_release_notes/

Package List

Red Hat Enterprise Linux AppStream (v. 8):
Source: spice-0.14.3-4.el8.src.rpm
aarch64: spice-debugsource-0.14.3-4.el8.aarch64.rpm spice-server-0.14.3-4.el8.aarch64.rpm spice-server-debuginfo-0.14.3-4.el8.aarch64.rpm
x86_64: spice-debugsource-0.14.3-4.el8.i686.rpm spice-debugsource-0.14.3-4.el8.x86_64.rpm spice-server-0.14.3-4.el8.i686.rpm spice-server-0.14.3-4.el8.x86_64.rpm spice-server-debuginfo-0.14.3-4.el8.i686.rpm spice-server-debuginfo-0.14.3-4.el8.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 8):
aarch64: spice-debugsource-0.14.3-4.el8.aarch64.rpm spice-server-debuginfo-0.14.3-4.el8.aarch64.rpm spice-server-devel-0.14.3-4.el8.aarch64.rpm
x86_64: spice-debugsource-0.14.3-4.el8.i686.rpm spice-debugsource-0.14.3-4.el8.x86_64.rpm spice-server-debuginfo-0.14.3-4.el8.i686.rpm spice-server-debuginfo-0.14.3-4.el8.x86_64.rpm spice-server-devel-0.14.3-4.el8.i686.rpm spice-server-devel-0.14.3-4.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity
Advisory ID: RHSA-2021:1924-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1924
Issued Date: : 2021-05-18
CVE Names: CVE-2021-20201

Topic

An update for spice is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Low. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat CodeReady Linux Builder (v. 8) - aarch64, x86_64

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, x86_64

Bugs Fixed

1904459 - CVE-2021-20201 spice: OpenSSL(TLS/SSL) Security DoS Vulnerability - enables client-initiated renegotiation [rhel-8]

1921846 - CVE-2021-20201 spice: Client initiated renegotiation denial of service

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.