Red Hat Product Errata RHSA-2014:0396 - Security Advisory

Issued:: 2014-04-10
Updated:: 2014-04-10

RHSA-2014:0396 - Security Advisory

Overview
Updated Packages

Synopsis

Important: rhev-hypervisor6 security update

Type/Severity

Security Advisory: Important

Topic

An updated rhev-hypervisor6 package that fixes one security issue is now
available for Red Hat Enterprise Virtualization Hypervisor 3.2.

The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Description

The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization
Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor
is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes
everything necessary to run and manage virtual machines: a subset of the
Red Hat Enterprise Linux operating environment and the Red Hat Enterprise
Virtualization Agent.

Important: This update is an emergency security fix being provided outside
the scope of the published support policy for Red Hat Enterprise
Virtualization listed in the References section. In accordance with the
support policy for Red Hat Enterprise Virtualization, Red Hat Enterprise
Virtualization Hypervisor 3.2 will not receive future security updates.

Note: Red Hat Enterprise Virtualization Hypervisor is only available for
the Intel 64 and AMD64 architectures with virtualization extensions.

An information disclosure flaw was found in the way OpenSSL handled TLS and
DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server
could send a specially crafted TLS or DTLS Heartbeat packet to disclose a
limited portion of memory per request from a connected client or server.
Note that the disclosed portions of memory could potentially include
sensitive information such as private keys. (CVE-2014-0160)

Red Hat would like to thank the OpenSSL project for reporting this issue.
Upstream acknowledges Neel Mehta of Google Security as the original
reporter.

Users of the Red Hat Enterprise Virtualization Hypervisor are advised to
upgrade to this updated package, which corrects this issue.

Solution

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

To upgrade Hypervisors in Red Hat Enterprise Virtualization environments
using the disk image provided by this package, refer to:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Hypervisor_Deployment_Guide/chap-Deployment_Guide-Upgrading_Red_Hat_Enterprise_Virtualization_Hypervisors.html

Affected Products

Red Hat Virtualization 6 x86_64

Fixes

BZ - 1084875 - CVE-2014-0160 openssl: information disclosure in handling of TLS heartbeat extension packets
BZ - 1085357 - Packaging of RHEV-H for RHEV 3.2.6 ASYNC

CVEs

CVE-2014-0160

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization 6

SRPM
rhev-hypervisor6-6.5-20140118.1.3.2.el6_5.src.rpm	SHA-256: 03f031c2b8ec7095f4da5323bad766b8b5f317cedd8010b15a5ed8b13350ab0e
x86_64
rhev-hypervisor6-6.5-20140118.1.3.2.el6_5.noarch.rpm	SHA-256: 274e1e01c164574162d20e6823743b9e537541992bffad2874656e5ba4c0d3fd

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Red Hat Customer Portal Labs

Additional Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories