Chapter 1. RHSA-2022:5555-09 Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.1] security, bug fix and update
The bugs in this chapter are addressed by advisory RHSA-2022:5555-09. Further information about this advisory is available at https://errata.devel.redhat.com/advisory/96099
1.1. ovirt-engine
BZ#2099650
A bug that caused the upgrade process to fail if the vdc_options table contained records with a NULL default value has been fixed.
BZ#2006625
Previously, memory allocated by hugepages was included in the host memory usage calculation, resulting in high memory usage in the Administration Portal, even with no running VMs, and false VDS_HIGH_MEM_USE warnings in the logs. In this release, hugepages are not included in the memory usage. VDS_HIGH_MEM_USE warnings are logged only when normal (not hugepages) memory usage is above a defined threshold. Memory usage in the Administration Portal is calculated from the normal and hugepages used memory, not from allocated memory.
BZ#2072626
The ovirt-engine-notifier correctly increments the SNMP EngineBoots value after restarts, which enables the ovirt-engine-notifier to work with the SNMPv3 authPriv security level.
BZ#1663217
The hostname and/or FQDN of the VM or VDSM host can change after a virtual machine (VM) is created. Previously, this change could prevent the VM from fetching errata from Red Hat Satellite/Foreman. With this enhancement, errata can be fetched even if the VM hostname or FQDN changes.
BZ#1994144
The email address for notifications is updated correctly on the ``Manage Events'' screen.
BZ#2001923
Previously, when a failed VM snapshot was removed from the Manager database while the volume remained on the storage, subsequent operations failed because there was a discrepancy between the storage and the database. Now, the VM snapshot is retained if the volume is not removed from the storage.
BZ#1782077
An ``isolated threads'' CPU pinning policy has been added. This policy pins a physical core exclusively to a virtual CPU, enabling a complete physical core to be used as the virtual core of a single virtual machine.
BZ#1958032
Previously, live storage migration could fail if the destination volume filled up before it was extended. In the current release, the initial size of the destination volume is larger and the extension is no longer required.
BZ#1976607
VGA has replaced QXL as the default video device for virtual machines. You can switch from QXL to VGA using the API by removing the graphic and video devices from the VM (creating a headless VM) and then adding a VNC graphic device.
BZ#2001574
Previously, when closing the ``Move/Copy disk'' dialog in the Administration Portal, some of the acquired resources were not released, causing browser slowness and high memory usage in environments with many disks. In this release, the memory leak has been fixed.
BZ#2030293
A VM no longer remains in a permanent locked state if the Manager is rebooted while exporting the VM as OVA.
BZ#2068270
Previously, when downloading snapshots, the disk_id was not set, which caused resumption of the transfer operation to fail because locking requires the disk_id to be set. In this release, the disk_id is always set so that the transfer operation recovers after restart.
BZ#2081241
Previously, VMs with one or more VFIO devices, Q35 chipset, and maximum number of vCPUs >= 256 might fail to start because of a memory allocation error reported by the QEMU guest agent. This error has been fixed.
BZ#2105296
Virtual machines with VNC created by earlier Manager versions sometimes failed to migrate to newer hosts because the VNC password was too long. This issue has been fixed.
BZ#1703153
There is a workaround for creating a RHV Manager hostname that is longer than 95 characters.
- Create a short FQDN, up to 63 characters, for the engine-setup tool.
- Create a custom certificate and put the short FQDN and a long FQDN (final hostname) into the certificate’s Subject Alternate Name field.
- Configure the Manager to use the custom certificate.
-
Create an
/etc/ovirt-engine/engine.conf.d/99-alternate-engine-fqdns.conf
file with the following content: SSO_ALTERNATE_ENGINE_FQDNS=``long FQDN'' -
Restart the
ovirt-engine
service.
If you cannot access the Manager and are using a very long FQDN: 1. Check for the following error message in /var/log/httpd/error_log
: ajp_msg_check_header() incoming message is too big NNNN, max is MMMM
2. Add the following line to /etc/httpd/conf.d/z-ovirt-engine-proxy.conf
: ProxyIOBufferSize PPPP where PPPP
is greater than NNNN
in the error message. Restart Apache.
1.2. ovirt-log-collector
BZ#2093795
Rebase package(s) to version: 4.4.6 This fixes an issue which prevented the collection of PostgreSQL data and the documentation of the –log-size option.
1.3. rhv-log-collector-analyzer
BZ#2081559
The rhv-log-collector-analyzer discrepancy tool now detects preallocated QCOW2 images that have been reduced.
1.4. rhvm-branding-rhv
BZ#2092885
The Welcome page of the Administration Portal now displays both the upstream and downstream version names.
1.5. vdsm
BZ#2070045
The host no longer enters a non-responsive state if the OVF store update operation times out because of network errors.
1.6. vulnerability
BZ#1966615
A flaw was found in nodejs-trim-newlines. Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
BZ#1981895
A flaw was found in apache-commons-compress. When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This flaw allows the mounting of a denial of service attack against services that use Compress’ SevenZ package. The highest threat from this vulnerability is to system availability.
BZ#1981900
A flaw was found in apache-commons-compress. When reading a specially crafted 7Z archive, Compress can allocate large amounts of memory that leads to an out-of-memory error for very small inputs. This flaw allows the mounting of a denial of service attack against services that use Compress’ SevenZ package. The highest threat from this vulnerability is to system availability.
BZ#1981903
A flaw was found in apache-commons-compress. When reading a specially crafted TAR archive, Compress can allocate large amounts of memory that leads to an out-of-memory error for small inputs. This flaw allows the mounting of a denial of service attack against services that use Compress’ TAR package. The highest threat from this vulnerability is to system availability.
BZ#1981909
A flaw was found in apache-commons-compress. When reading a specially crafted ZIP archive, Compress can allocate large amounts of memory that leads to an out-of-memory error for small inputs. This flaw allows the mounting of a denial of service attack against services that use Compress’ zip package. The highest threat from this vulnerability is to system availability.
BZ#2007557
A regular expression denial of service (ReDoS) vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes.
BZ#2069414
A flaw was found in the Spring Framework. This flaw allows an attacker to craft a special Spring Expression, causing a denial of service.
BZ#2097414
A vulnerability was found in semantic-release. Secrets that are normally masked are accidentally disclosed if they contain characters excluded from uri encoding by encodeURI()
. The vulnerability is further limited to execution contexts where push access to the related repository is unavailable without modifying the repository URL to inject credentials.