Issued:: 2014-04-08
Updated:: 2014-04-08

RHSA-2014:0378 - Security Advisory

Overview
Updated Packages

Synopsis

Important: rhev-hypervisor6 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An updated rhev-hypervisor6 package that fixes one security issue is now
available.

The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Description

The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization
Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor
is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes
everything necessary to run and manage virtual machines: a subset of the
Red Hat Enterprise Linux operating environment and the Red Hat Enterprise
Virtualization Agent.

Note: Red Hat Enterprise Virtualization Hypervisor is only available for
the Intel 64 and AMD64 architectures with virtualization extensions.

An information disclosure flaw was found in the way OpenSSL handled TLS and
DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server
could send a specially crafted TLS or DTLS Heartbeat packet to disclose a
limited portion of memory per request from a connected client or server.
Note that the disclosed portions of memory could potentially include
sensitive information such as private keys. (CVE-2014-0160)

Red Hat would like to thank the OpenSSL project for reporting this issue.
Upstream acknowledges Neel Mehta of Google Security as the original
reporter.

Users of the Red Hat Enterprise Virtualization Hypervisor are advised to
upgrade to this updated package, which corrects this issue.

Solution

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

To upgrade Hypervisors in Red Hat Enterprise Virtualization environments
using the disk image provided by this package, refer to:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Hypervisor_Deployment_Guide/chap-Deployment_Guide-Upgrading_Red_Hat_Enterprise_Virtualization_Hypervisors.html

Affected Products

Red Hat Virtualization 6 x86_64

Fixes

BZ - 1084875 - CVE-2014-0160 openssl: information disclosure in handling of TLS heartbeat extension packets

CVEs

CVE-2014-0160

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization 6

SRPM
rhev-hypervisor6-6.5-20140407.0.el6ev.src.rpm	SHA-256: 5b4817b7f38382679ec5881e942f1769fcca6c635d0e6c07e4e9352e6c6dfe5d
x86_64
rhev-hypervisor6-6.5-20140407.0.el6ev.noarch.rpm	SHA-256: 83c5b57407d433b080474635f7b49fc298f2141da2fef53f6268eca3070b4a9e

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation