—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: Red Hat Virtualization security, bug fix, and enhancement update
Advisory ID: RHSA-2020:5179-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5179
Issue date: 2020-11-24
CVE Names: CVE-2019-20920 CVE-2019-20922 CVE-2020-8203
=====================================================================
1. Summary:
An update is now available for Red Hat Virtualization Engine 4.4.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
RHEL-8-RHEV-S-4.4 – Red Hat Virtualization Engine 4.4 – noarch
3. Description:
The org.ovirt.engine-root is a core component of oVirt.
The following packages have been upgraded to a later upstream version:
engine-db-query (1.6.2), org.ovirt.engine-root (4.4.3.8), ovirt-engine-dwh
(4.4.3.1), ovirt-engine-extension-aaa-ldap (1.4.2),
ovirt-engine-extension-logger-log4j (1.1.1), ovirt-engine-metrics
(1.4.2.1), ovirt-engine-ui-extensions (1.2.4), ovirt-log-collector (4.4.4),
ovirt-web-ui (1.6.5), rhv-log-collector-analyzer (1.0.5), rhvm-branding-rhv
(4.4.6). (BZ#1866981, BZ#1879377)
Security Fix(es):
* nodejs-handlebars: lookup helper fails to properly validate templates
allowing for arbitrary JavaScript execution (CVE-2019-20920)
* nodejs-handlebars: an endless loop while processing specially-crafted
templates leads to DoS (CVE-2019-20922)
* nodejs-lodash: prototype pollution in zipObjectDeep function
(CVE-2020-8203)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* send –nowait to libvirt when we collect qemu stats, to consume
bz#1552092 (BZ#1613514)
* Block moving HE hosts into different Data Centers and make HE host moved
to different cluster NonOperational after activation (BZ#1702016)
* If an in-use MAC is held by a VM on a different cluster, the engine does
not attempt to get the next free MAC. (BZ#1760170)
* Search backend cannot find VMs which name starts with a search keyword
(BZ#1797717)
* [Permissions] DataCenterAdmin role defined on DC level does not allow
Cluster creation (BZ#1808320)
* enable-usb-autoshare is always 0 in console.vv and usb-filter option is
listed two times (BZ#1811466)
* NumaPinningHelper is not huge pages aware, denies migration to suitable
host (BZ#1812316)
* Adding quota to group doesn’t propagate to users (BZ#1822372)
* Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35
Template (BZ#1829691)
* Live Migration Bandwidth unit is different from Engine configuration
(Mbps) and VDSM (MBps) (BZ#1845397)
* RHV-M shows successful operation if OVA export/import failed during
“qemu-img convert” phase (BZ#1854888)
* Cannot hotplug disk reports libvirtError: Requested operation is not
valid: Domain already contains a disk with that address (BZ#1855305)
* rhv-log-collector-analyzer –json fails with TypeError (BZ#1859314)
* RHV 4.4 on AMD EPYC 7742 throws an NUMA related error on VM run
(BZ#1866862)
* Issue with dashboards creation when sending metrics to external
Elasticsearch (BZ#1870133)
* HostedEngine VM is broken after Cluster changed to UEFI (BZ#1871694)
* [CNV&RHV]Notification about VM creation contain <UNKNOWN> string
(BZ#1873136)
* VM stuck in Migrating status after migration completed due to incorrect
status reported by VDSM after restart (BZ#1877632)
* Use 4.5 as compatibility level for the Default DataCenter and the Default
Cluster during installation (BZ#1879280)
* unable to create/add index pattern in step 5 from kcs articles#4921101
(BZ#1881634)
* [CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs
(BZ#1883844)
* Deprecate and remove ovirt-engine-api-explorer (BZ#1884146)
* [CNV&RHV] Disable creating new disks for Kubevirt VM (BZ#1884634)
* Require ansible-2.9.14 in ovirt-engine (BZ#1888626)
Enhancement(s):
* [RFE] Virtualization support for NVDIMM – RHV (BZ#1361718)
* [RFE] – enable renaming HostedEngine VM name (BZ#1657294)
* [RFE] Enabling Icelake new NIs – RHV (BZ#1745024)
* [RFE] Show vCPUs and allocated memory in virtual machines summary
(BZ#1752751)
* [RFE] RHV-M Deployment/Install Needs it’s own UUID (BZ#1825020)
* [RFE] Destination Host in migrate VM dialog has to be searchable and
sortable (BZ#1851865)
* [RFE] Expose the “reinstallation required” flag of the hosts in the API
(BZ#1856671)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/2974891
5. Bugs fixed (https://bugzilla.redhat.com/):
1613514 – send –nowait to libvirt when we collect qemu stats, to consume bz#1552092
1657294 – [RFE] – enable renaming HostedEngine VM name
1691253 – ovirt-engine-extension-aaa-ldap-setup does not escape special characters in password
1702016 – Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation
1752751 – [RFE] Show vCPUs and allocated memory in virtual machines summary
1760170 – If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC.
1797717 – Search backend cannot find VMs which name starts with a search keyword
1808320 – [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation
1811466 – enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times
1812316 – NumaPinningHelper is not huge pages aware, denies migration to suitable host
1822372 – Adding quota to group doesn’t propagate to users
1825020 – [RFE] RHV-M Deployment/Install Needs it’s own UUID
1828241 – Deleting snapshot do not display a lock for it’s disks under “Disk Snapshots” tab.
1829691 – Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template
1842344 – Status loop due to host initialization not checking network status, monitoring finding the network issue and auto-recovery.
1845432 – [CNV&RHV] Communicatoin with CNV cluster spamming engine.log when token is expired
1851865 – [RFE] Destination Host in migrate VM dialog has to be searchable and sortable
1854888 – RHV-M shows successful operation if OVA export/import failed during “qemu-img convert” phase
1855305 – Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address
1856671 – [RFE] Expose the “reinstallation required” flag of the hosts in the API
1857412 – CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
1859314 – rhv-log-collector-analyzer –json fails with TypeError
1862101 – rhv-image-discrepancies does show size of the images on the storage as size of the image in db and vice versa
1866981 – obj must be encoded before hashing
1870133 – Issue with dashboards creation when sending metrics to external Elasticsearch
1871694 – HostedEngine VM is broken after Cluster changed to UEFI
1872911 – RHV Administration Portal fails with 404 error even after updating to RHV 4.3.9
1873136 – [CNV&RHV]Notification about VM creation contain <UNKNOWN> string
1876923 – PostgreSQL 12 in RHV 4.4 – engine-setup menu ref URL needs updating
1877632 – VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart
1877679 – Synchronize advanced virtualization module with RHEL version during host upgrade
1879199 – ovirt-engine-extension-aaa-ldap-setup fails on cert import
1879280 – Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation
1879377 – [DWH] Rebase bug – for the 4.4.3 release
1881634 – unable to create/add index pattern in step 5 from kcs articles#4921101
1882256 – CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
1882260 – CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
1883844 – [CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs
1884146 – Deprecate and remove ovirt-engine-api-explorer
1884634 – [CNV&RHV] Disable creating new disks for Kubevirt VM
1885976 – rhv-log-collector-analyzer – argument must be str, not bytes
1887268 – Cannot perform yum update on my RHV manager (ansible conflict)
1888626 – Require ansible-2.9.14 in ovirt-engine
1889522 – metrics playbooks are broken due to typo
6. Package List:
RHEL-8-RHEV-S-4.4 – Red Hat Virtualization Engine 4.4:
Source:
engine-db-query-1.6.2-1.el8ev.src.rpm
ovirt-engine-4.4.3.8-0.1.el8ev.src.rpm
ovirt-engine-dwh-4.4.3.1-1.el8ev.src.rpm
ovirt-engine-extension-aaa-ldap-1.4.2-1.el8ev.src.rpm
ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.src.rpm
ovirt-engine-metrics-1.4.2.1-1.el8ev.src.rpm
ovirt-engine-ui-extensions-1.2.4-1.el8ev.src.rpm
ovirt-log-collector-4.4.4-1.el8ev.src.rpm
ovirt-web-ui-1.6.5-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.5-1.el8ev.src.rpm
rhvm-branding-rhv-4.4.6-1.el8ev.src.rpm
noarch:
engine-db-query-1.6.2-1.el8ev.noarch.rpm
ovirt-engine-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-backend-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-dwh-4.4.3.1-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.4.3.1-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.4.3.1-1.el8ev.noarch.rpm
ovirt-engine-extension-aaa-ldap-1.4.2-1.el8ev.noarch.rpm
ovirt-engine-extension-aaa-ldap-setup-1.4.2-1.el8ev.noarch.rpm
ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-metrics-1.4.2.1-1.el8ev.noarch.rpm
ovirt-engine-restapi-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-setup-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-setup-base-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-tools-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-ui-extensions-1.2.4-1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.4.3.8-0.1.el8ev.noarch.rpm
ovirt-log-collector-4.4.4-1.el8ev.noarch.rpm
ovirt-web-ui-1.6.5-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.4.3.8-0.1.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.5-1.el8ev.noarch.rpm
rhvm-4.4.3.8-0.1.el8ev.noarch.rpm
rhvm-branding-rhv-4.4.6-1.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-20920
https://access.redhat.com/security/cve/CVE-2019-20922
https://access.redhat.com/security/cve/CVE-2020-8203
https://access.redhat.com/security/updates/classification/#low
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIVAwUBX70HvdzjgjWX9erEAQjCLA//a317mM4YG3b2NthOYrawJOiY8u4jPw5B
fkOi7cTYkgrN1DeXJdUxfrZztt+QPix3ehqZhxromwCUi4cdh0jvlliMWQbzgGcW
vIybXzMULIXGd1JbV18SAo+S04b2ggCprbkIZ+HAI3zDIpiZ2/1167kV0x4yFHma
WYzTz5j9M6ZLBA9h94vnhQPGfcDfaTFuCluAcNdLvm5aDiitriE/wLYEpueHtmKN
BZVNwfsJ9FI3WEKVf8w/BP134O+Qh7aioXudDWgO3olfUyZ6QAs0BDaerw/kqNP9
VZdVKTZDkx5y6ccOCpNztsn19S8//LzTXKtwBJpd/oYlfo34+/hm9dq0JOTDcJNd
xHbYHVMK6/8P0uJ1BtKlq4AX3B3Qw4ffFR0vLfWRLf7zNR2x0DNj5gdS7BWJsNjr
3qorwKjznM2rcXNfNx8uIDy2S1bIQgMAE8X22IUhDSeRenh2ZRrdgwUPZzvQkDll
eWTxL/ipWvjFhUBUUsQQGaUSmrKr8Q4pzYSH6jBEhES73yP4Sh8A/uXiwNoLV0PJ
2S3JPOC/5H159bGgRhZyE0PjS7jnRlO6SCCnuUUhgnlRJd/w9+LVEf8UG0P3B8us
TV25drHEEprcR48tgfiFKEzNuv7o9PJWUnckM4HXGQLktj1pdoTfBfcB5tLHOIAy
qoINkVG9ep0=
=Zkp/
—–END PGP SIGNATURE—–
—
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Virtualization security, bug fix, and enhancement update
Advisory ID: RHSA-2020:5218-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5218
Issue date: 2020-11-24
CVE Names: CVE-2020-1730
=====================================================================
1. Summary:
An update for imgbased, redhat-release-virtualization-host, and
redhat-virtualization-host is now available for Red Hat Virtualization 4
for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
RHEL 8-based RHEV-H for RHEV 4 (build requirements) – noarch, x86_64
Red Hat Virtualization 4 Hypervisor for RHEL 8 – noarch
3. Description:
The redhat-virtualization-host packages provide the Red Hat Virtualization
Host. These packages include redhat-release-virtualization-host,
ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are
installed using a special build of Red Hat Enterprise Linux with only the
packages required to host virtual machines. RHVH features a Cockpit user
interface for monitoring the host’s resources and performing administrative
tasks.
The redhat-virtualization-host packages provide the Red Hat Virtualization
Host. These packages include redhat-release-virtualization-host,
ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are
installed using a special build of Red Hat Enterprise Linux with only the
packages required to host virtual machines. RHVH features a Cockpit user
interface for monitoring the host’s resources and performing administrative
tasks.
The ovirt-node-ng packages provide the Red Hat Virtualization Host. These
packages include redhat-release-virtualization-host, ovirt-node, and
rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a
special build of Red Hat Enterprise Linux with only the packages required
to host virtual machines. RHVH features a Cockpit user interface for
monitoring the host’s resources and performing administrative tasks.
The following packages have been upgraded to a later upstream version:
imgbased (1.2.13), redhat-release-virtualization-host (4.4.3),
redhat-virtualization-host (4.4.3). (BZ#1814517, BZ#1868293, BZ#1886484)
Security Fix(es):
* libssh: denial of service when handling AES-CTR (or DES) ciphers
(CVE-2020-1730)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* [security] gnutls_set_default_priority() (and thus Cockpit logins) fails
when selecting VPP profile during RHVH installation (BZ#1835661)
* Unable to upgrade from rhvh 4.4.1 to 4.4.2 as block storage domains are
detected as local storage domains. (BZ#1886647)
* Failed to install RHVH 4.4.3 due to missing Lvm ThinPool (BZ#1886695)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/2974891
5. Bugs fixed (https://bugzilla.redhat.com/):
1801998 – CVE-2020-1730 libssh: denial of service when handling AES-CTR (or DES) ciphers
1833254 – Register RHVH 4.4 to Engine will fail when security profile is selected
1868293 – Rebase RHV-H on RHEL 8.3
1886484 – redhat-virtualization-host-productimg rhv anaconda installclass needs rebase on RHEL 8.3 anaconda-33.16.3.*
1886647 – Unable to upgrade from rhvh 4.4.1 to 4.4.2 as block storage domains are detected as local storage domains.
1886695 – Failed to install RHVH 4.4.3 due to missing Lvm ThinPool
6. Package List:
Red Hat Virtualization 4 Hypervisor for RHEL 8:
Source:
redhat-virtualization-host-4.4.3-20201116.0.el8_3.src.rpm
noarch:
redhat-virtualization-host-image-update-4.4.3-20201116.0.el8_3.noarch.rpm
RHEL 8-based RHEV-H for RHEV 4 (build requirements):
Source:
imgbased-1.2.13-0.1.el8ev.src.rpm
redhat-release-virtualization-host-4.4.3-1.el8ev.src.rpm
noarch:
imgbased-1.2.13-0.1.el8ev.noarch.rpm
python3-imgbased-1.2.13-0.1.el8ev.noarch.rpm
redhat-virtualization-host-image-update-placeholder-4.4.3-1.el8ev.noarch.rpm
x86_64:
redhat-release-virtualization-host-4.4.3-1.el8ev.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-1730
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIVAwUBX70HotzjgjWX9erEAQjTeQ//d/ynr7JPIeJsD1LSBNYouX1EhGtI4WGI
p8j+iASB3CygALAjJSkH2G8WHn+c7aAxUrPRxoXH8WRH/KbI9eVlux5Okqcmcn2L
PfxZnufin35Ow5MEfvD0jD9gRsbPaYMR7zSPrI4ZFVUTznq+h9Tw1ImRVkQ/UOBV
ov1hyVhkFVd4tpm0uSlZVn0y4Nnkb6pJHmcfdE+la3Ph0PFheq4jTktNGOo7cFV0
5NAxZqIioWG+Phy5zG3fDOhBwWzkBcyUZPakcNJOGRJkgaEmc8KAO3C3+Y9Y57S8
CvyiUB0OZyQznudIhN7gDEGKYPaVd7e8DVjRJc2O9rEXpic+z8OOWJX9erAU+N6b
C3oBCm6LO2DG84c8Fh091fjvCQHWtum+lF5IvnrIvVzGxHCXB4n4Od5JupVb05Bb
+NIoQt9MmhF3miNUwUW8kn9GgpLxcV6w20GlJ8Ys8IRv7UKMFZsLENUbgTVhE4ys
MydN+culkUA2hflV5QHmRYsEu0cwm2kqwnnyD3XSzCOr0954VB/8cetYtbf0tQE9
lvPwikmD51JRx6IqGBcg1dbDcBJdtp3PDBJo2BeFZdqIOybC992zdLzgVgvobHxv
H6QZfS9Kj4S/8cqebIOyDtvX37yylwGK5YgDbPlaBnD5lflbdTFSuh4FFOZRO2fx
FZdBZffYzHA=
=hOzI
—–END PGP SIGNATURE—–
—
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce