Alerts This Week
Warning Icon 1 923
Alerts This Week
Warning Icon 1 923

Red Hat Enterprise Linux 8 RHSA-2021-4750 Important: Host Security Update

red hat
Calendar Grey November 19, 2021
Dist Redhat Esm H88
Crucial Red Hat notice regarding security enhancements for virtualization hosts, featuring bug resolutions and vital updates now accessible.
An update for redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Summary

The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
Security Fix(es):
* kernel: out-of-bounds write due to a heap buffer overflow in __hidinput_change_resolution_multipliers() of hid-input.c (CVE-2021-0512)
* Ansible: ansible-connection module discloses sensitive info in traceback error message (CVE-2021-3620)
* kernel: Insufficient validation of user-supplied sizes for the MSG_CRYPTO message type (CVE-2021-43267)
* libssh: NULL pointer dereference in sftpserver.c if ssh_buffer_new returns NULL (CVE-2020-16135)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Red Hat Virtualization Host now includes packages from Red Hat Enterprise Linux 8.5. (BZ#1958101)
* Red Hat Virtualization Host now includes packages from RHGS-3.5.z on RHEL-8 Batch #5. (BZ#1975175)
* Red Hat Virtualization Host now includes the packages needed for using Managed Block Devices via cinderlib. (BZ#1983021)
* Red Hat Virtualization Host now includes openvswitch related packages from Fast Data Path 21.G release. (BZ#1998104)
* Previously it was not possible to upgrade RHVH to version 4.4.8 when custom VDSM hooks were installed on RHVH. This was caused by the VDSM hooks dependency on the concrete version of VDSM. The current release allows users to maintain the VDSM dependency manually. In other words, if you want to upgrade from VDSM X.Y.Z to version A.B.C, you must upgrade all VDSM hooks to the same A.B.C version. (BZ#2004469)

Topics%20covered

Topics Covered

security advisory security update bug fix kernel security security impact host security Red Hat Virtualization

References

https://access.redhat.com/security/cve/CVE-2020-16135 https://access.redhat.com/security/cve/CVE-2021-0512 https://access.redhat.com/security/cve/CVE-2021-3620 https://access.redhat.com/security/cve/CVE-2021-43267 https://access.redhat.com/security/updates/classification#important

Package List

Red Hat Virtualization 4 Hypervisor for RHEL 8:
Source: redhat-virtualization-host-4.4.9-202111172338_8.5.src.rpm
x86_64: redhat-virtualization-host-image-update-4.4.9-202111172338_8.5.x86_64.rpm
RHEL 8-based RHEV-H for RHEV 4 (build requirements):
Source: redhat-release-virtualization-host-4.4.9-2.el8ev.src.rpm
noarch: redhat-virtualization-host-image-update-placeholder-4.4.9-2.el8ev.noarch.rpm
x86_64: redhat-release-virtualization-host-4.4.9-2.el8ev.x86_64.rpm redhat-release-virtualization-host-content-4.4.9-2.el8ev.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2021:4750-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4750
Issue date: 2021-11-19

Topic

An update for redhat-release-virtualization-host andredhat-virtualization-host is now available for Red Hat Virtualization 4for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory security update bug fix kernel security security impact host security Red Hat Virtualization

Relevant Releases Architectures

RHEL 8-based RHEV-H for RHEV 4 (build requirements) - noarch, x86_64

Red Hat Virtualization 4 Hypervisor for RHEL 8 - x86_64

Bugs Fixed

1862456 - CVE-2020-16135 libssh: NULL pointer dereference in sftpserver.c if ssh_buffer_new returns NULL

1953685 - The RHVH iso should not always remove the /root/anaconda-ks.cfg file.

1958101 - Rebase RHV-H 4.4.9 on RHEL 8.5

1974491 - CVE-2021-0512 kernel: out-of-bounds write due to a heap buffer overflow in __hidinput_change_resolution_multipliers() of hid-input.c

1975175 - Rebase RHV-H 4.4.9 on RHGS-3.5.z on RHEL-8 Batch #5

1975767 - CVE-2021-3620 Ansible: ansible-connection module discloses sensitive info in traceback error message

1983021 - [cinderlib] Provide cinderlib prerequisites in RHV-H

1998104 - Rebase RHV-H on FDP 21.G

2004469 - [RHV 4.4.8] Unable to upgrade RHVH if vdsm-hook-ethtool-options is installed

2020362 - CVE-2021-43267 kernel: Insufficient validation of user-supplied sizes for the MSG_CRYPTO message type

2024360 - RHV-H sssd-proxy installation fails due to higher versioned packages of sssd-* in repository then RHV 4.4.8 uses.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here