drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Zwei Probleme in RHV
| Name: |
Zwei Probleme in RHV |
|
| ID: |
RHSA-2021:4626-01 |
|
| Distribution: |
Red Hat |
|
| Plattformen: |
Red Hat Virtualization |
|
| Datum: |
Mi, 17. November 2021, 09:47 |
|
| Referenzen: |
https://access.redhat.com/security/cve/CVE-2020-28469
https://access.redhat.com/security/cve/CVE-2020-7733 |
|
| Applikationen: |
RHV |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: RHV Manager (ovirt-engine) security update
[ovirt-4.4.9]
Advisory ID: RHSA-2021:4626-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4626
Issue date: 2021-11-16
CVE Names: CVE-2020-7733 CVE-2020-28469
=====================================================================
1. Summary:
Updated ovirt-engine packages that fix several bugs and add various
enhancements are now available.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
3. Description:
The ovirt-engine package provides the manager for virtualization
environments.
This manager enables admins to define hosts and networks, as well as to add
storage, create VMs and manage user permissions.
A list of bugs fixed in this update is available in the Technical Notes
book:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
Security Fix(es):
* nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)
* nodejs-ua-parser-js: Regular expression denial of service via the regex
(CVE-2020-7733)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/2974891
5. Bugs fixed (https://bugzilla.redhat.com/):
1352501 - [RFE] LUKs key management on RHV
1879733 - CVE-2020-7733 nodejs-ua-parser-js: Regular expression denial of
service via the regex
1940991 - Hot plugging memory then hot unplugging the same memory on a RHEL 8
VM via API, after repeating the process several times the Defined Memory value in RHV-M and free command on the VM go out of sync, displaying completely different values
1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of
service
1957830 - Creating thin disk from VM Portal on block storage fails
1971802 - Connection timeout when DNS server timeouts for IPv6 address
resolution in mixed IPv4/IPv6 environments
1977232 - Create template broken with block storage
1977276 - Uploading ISO through RHV-M portal intermittently fails with error
"Failed to add disk for image transfer command"
1979730 - Windows VM ends up with ghost NIC and missing secondary disks machine
type changes from pc-q35-rhel8.3.0 to pc-q35-rhel8.4.0
1989324 - rhv-image-discrepancies should skip OVF_STORE
1992690 - [RFE] Customize 'oVirt Inventory Dashboard' to include
cluster wide information about 'CPUs Overcommit' and 'Running VMs - CPU Cores vs. Total Hosts-CPU Cores'
2000364 - Engine fails to start, unable to read cloud-init network config from
stateless snapshot configuration.
2001551 - Allow more granular checks with rhv-image-discrepancies
2001944 - Always log exception message which is raised during inserting into
audit_log
2004444 - Try to enable cinderlib repos on host during host upgrade
2007550 - Change type of disk write/read rate from integer to long
2014017 - Can not download VM disks due to 'Cannot transfer Virtual Disk:
Disk is locked'
6. Package List:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source:
ovirt-engine-4.4.9.2-0.6.el8ev.src.rpm
ovirt-engine-dwh-4.4.9.1-1.el8ev.src.rpm
ovirt-engine-extension-aaa-ldap-1.4.5-1.el8ev.src.rpm
ovirt-engine-metrics-1.4.4-1.el8ev.src.rpm
ovirt-web-ui-1.7.2-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.11-1.el8ev.src.rpm
noarch:
ovirt-engine-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-backend-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-dwh-4.4.9.1-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.4.9.1-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.4.9.1-1.el8ev.noarch.rpm
ovirt-engine-extension-aaa-ldap-1.4.5-1.el8ev.noarch.rpm
ovirt-engine-extension-aaa-ldap-setup-1.4.5-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-metrics-1.4.4-1.el8ev.noarch.rpm
ovirt-engine-restapi-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-base-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-tools-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-web-ui-1.7.2-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.4.9.2-0.6.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.11-1.el8ev.noarch.rpm
rhvm-4.4.9.2-0.6.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-7733
https://access.redhat.com/security/cve/CVE-2020-28469
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYZQXm9zjgjWX9erEAQgfGA//cT9M+SSFfEmyYDBEfwRL7zqst+bjsxJ5
B37q+1Ebo0JWHAsIgh0oluQ7WssqzCQp02bd4pZ3Mn8L0VzJ8/7ZO1czgHcjGxUN
gew4JY3+wX3Bm2z16EwgMwuG4h9KZ9wajwe4oLvZGVny5bj/qc7Jb4yh1pw9IHIA
rm3b4pSGxbqUh9cmiLMvf1gsIvLyHL3J5xu73TEjrFB8oSM4KnpC6Uqs5HMk/Qu6
6LRZpqFb+cOrLn7tarxIqZi9BODGo0jM6KImLZpWSQuiSeSlF7SuBAY8WtjRH9Yh
bxl46OyPDk88pu4sHWVI7acM/ngkCDb6WCIigBqf0NlzVl2RSY42cd9n8sQrAMSg
JRD3OpzZqMKVDfnoQEtxQrZCQJYLIgu0ALhZE5JwmzyuoK0EdMTs4xvStKB03cRy
aVwXbol30esQCbk078kXROpgTB4GC+afBfAZqUb9K1XkngTfC/+hOUnvQgKruZ3H
n4CB22UUGYJpqDhCqd+c+OssxTLp5qhhneruiayrxZyTYGrnmog4AaFvK5vdOz4u
ofJHvb3z+s8Yjl0z50lQP3CzFdJfncYVwpsJxCa2dFwK6cKajiudP1aldx73Uyz7
Bxsr4hc2rmXmz70K5QhfuTN6Uz3qWNnxNFXDzZm+6+o98exRfqcI/Uuzdk7A6kMx
o+zXeXdIuqM=
=TrU3
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
|
|
|
|
