RedHat: RHSA-2022-5439:01 Important: RHV-H security update | LinuxS...

Advisories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: RHV-H security update (redhat-virtualization-host) 4.3.23
Advisory ID:       RHSA-2022:5439-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5439
Issue date:        2022-06-30
CVE Names:         CVE-2018-25032 CVE-2022-1271 CVE-2022-1966 
                   CVE-2022-24903 
=====================================================================

1. Summary:

An update for redhat-release-virtualization-host and
redhat-virtualization-host is now available for Red Hat Virtualization 4
for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL 7-based RHEV-H for RHEV 4 (build requirements) - noarch, x86_64
Red Hat Virtualization 4 Hypervisor for RHEL 7 - noarch

3. Description:

The redhat-virtualization-host packages provide the Red Hat Virtualization
Host.
These packages include redhat-release-virtualization-host. Red Hat
Virtualization Hosts (RHVH) are installed using a special build of Red Hat
Enterprise Linux with only the packages required to host virtual machines. 
RHVH features a Cockpit user interface for monitoring the host's resources
and performing administrative tasks.

Security Fix(es) from Bugzilla:

* zlib: A flaw found in zlib when compressing (not decompressing) certain
inputs (CVE-2018-25032)

* gzip: arbitrary-file-write vulnerability (CVE-2022-1271)

* rsyslog: Heap-based overflow in TCP syslog server (CVE-2022-24903)

* kernel: a use-after-free write in the netfilter subsystem can lead to
privilege escalation to root (CVE-2022-1966)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Bug Fix(es) from Bugzilla:

* RHV-H 4.3 has been rebased on RHEL 7.9 batch (BZ#2084444)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

2067945 - CVE-2018-25032 zlib: A flaw found in zlib when compressing (not decompressing) certain inputs
2073310 - CVE-2022-1271 gzip: arbitrary-file-write vulnerability
2081353 - CVE-2022-24903 rsyslog: Heap-based overflow in TCP syslog server
2084444 - Rebase RHV-H 4.3 on RHEL 7.9 batch
2092427 - CVE-2022-1966 kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root

6. Package List:

Red Hat Virtualization 4 Hypervisor for RHEL 7:

Source:
redhat-virtualization-host-4.3.23-20220622.0.el7_9.src.rpm

noarch:
redhat-virtualization-host-image-update-4.3.23-20220622.0.el7_9.noarch.rpm

RHEL 7-based RHEV-H for RHEV 4 (build requirements):

Source:
redhat-release-virtualization-host-4.3.23-1.el7ev.src.rpm
redhat-virtualization-host-4.3.23-20220622.0.el7_9.src.rpm
redhat-virtualization-host-productimg-4.3.23-1.el7.src.rpm

noarch:
redhat-virtualization-host-image-update-4.3.23-20220622.0.el7_9.noarch.rpm
redhat-virtualization-host-image-update-placeholder-4.3.23-1.el7ev.noarch.rpm

x86_64:
redhat-release-virtualization-host-4.3.23-1.el7ev.x86_64.rpm
redhat-virtualization-host-productimg-4.3.23-1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/cve/CVE-2022-1966
https://access.redhat.com/security/cve/CVE-2022-24903
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYr6VwdzjgjWX9erEAQjlUQ//St4jo4QoQbG6tiIa+jMGjKEXjz+aa4ui
BtmQc+LbAzIjM1Wslf+7iuzU5A07CQ+fscVNXXTfmpGKjc5Ci6SaZUGgtk7hLdpt
tLx2mY681n/J43C7QZM2ZeOjYVRjN+t8QHpenSiT0Aw41s23dUtD/4nXZfwRu74H
1zily70MZP0Ukt+sbUn42Ry/fKGqJU2LVau/UPqxSkqUj3YskLXNSJmNN7+JVhKj
y8z3C5AnYQtytv8QfRBXVvY58upTnN7gXPqLuA2IFnp82yQDmnkeqxl/ZGZoxUAD
F31u0OV+9575GxDjYzaV2RomcBpkMHU//7Mo0RxTKfIPQp5MTZWGkrrMn3RFr4Yc
DixfcCXfp9osc7LrL7kV7ZmvdfKxV7VlM3ja7PdKd+S1jRw7Ol6MfgInUWhbWt4t
T9y1abRa3YWliSJaTI7IxMM3fH8Smtcozr90+G7pk+MFFAPbw+2VK7yScS+Rpl72
zm+5Bkz/pkpBGEWSXNvJNeTc1xBfZnPTDI2UnX1495mLTpAyK5JhwRp+LvtuMFm+
maVds4CpAssAQvM8tEU9qJdXvzMT9W7jXpzr6QK7C90F6f590Yc4OElJUp/hGYSL
PvaYkhRrZShMJBgPdZnBFeEZkM8f4b+FkBU4WLAJF8Me+Wiodm4mKNRZSXBuDfDo
vlSrwW/9s7I=
=u0ws
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-5439:01 Important: RHV-H security update

An update for redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Summary

The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
Security Fix(es) from Bugzilla:
* zlib: A flaw found in zlib when compressing (not decompressing) certain inputs (CVE-2018-25032)
* gzip: arbitrary-file-write vulnerability (CVE-2022-1271)
* rsyslog: Heap-based overflow in TCP syslog server (CVE-2022-24903)
* kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root (CVE-2022-1966)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es) from Bugzilla:
* RHV-H 4.3 has been rebased on RHEL 7.9 batch (BZ#2084444)

Solution

For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://access.redhat.com/articles/2974891

References

https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1966 https://access.redhat.com/security/cve/CVE-2022-24903 https://access.redhat.com/security/updates/classification/#important

Package List

Red Hat Virtualization 4 Hypervisor for RHEL 7:
Source: redhat-virtualization-host-4.3.23-20220622.0.el7_9.src.rpm
noarch: redhat-virtualization-host-image-update-4.3.23-20220622.0.el7_9.noarch.rpm
RHEL 7-based RHEV-H for RHEV 4 (build requirements):
Source: redhat-release-virtualization-host-4.3.23-1.el7ev.src.rpm redhat-virtualization-host-4.3.23-20220622.0.el7_9.src.rpm redhat-virtualization-host-productimg-4.3.23-1.el7.src.rpm
noarch: redhat-virtualization-host-image-update-4.3.23-20220622.0.el7_9.noarch.rpm redhat-virtualization-host-image-update-placeholder-4.3.23-1.el7ev.noarch.rpm
x86_64: redhat-release-virtualization-host-4.3.23-1.el7ev.x86_64.rpm redhat-virtualization-host-productimg-4.3.23-1.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity
Advisory ID: RHSA-2022:5439-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2022:5439
Issued Date: : 2022-06-30
CVE Names: CVE-2018-25032 CVE-2022-1271 CVE-2022-1966 CVE-2022-24903

Topic

An update for redhat-release-virtualization-host andredhat-virtualization-host is now available for Red Hat Virtualization 4for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Relevant Releases Architectures

RHEL 7-based RHEV-H for RHEV 4 (build requirements) - noarch, x86_64

Red Hat Virtualization 4 Hypervisor for RHEL 7 - noarch

Bugs Fixed

2067945 - CVE-2018-25032 zlib: A flaw found in zlib when compressing (not decompressing) certain inputs

2073310 - CVE-2022-1271 gzip: arbitrary-file-write vulnerability

2081353 - CVE-2022-24903 rsyslog: Heap-based overflow in TCP syslog server

2084444 - Rebase RHV-H 4.3 on RHEL 7.9 batch

2092427 - CVE-2022-1966 kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.