Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2015:0197 - Security Advisory
Issued:
2014-07-25
Updated:
2015-02-11

RHSA-2015:0197 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: rhevm-spice-client security and bug fix update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated rhevm-spice-client packages that fix two security issues and
several bugs are now available for Red Hat Enterprise Virtualization
Manager 3.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

Red Hat Enterprise Virtualization Manager provides access to virtual
machines using SPICE. These SPICE client packages provide the SPICE client
and usbclerk service for both Windows 32-bit operating systems and Windows
64-bit operating systems.

A race condition was found in the way OpenSSL handled ServerHello messages
with an included Supported EC Point Format extension. A malicious server
could possibly use this flaw to cause a multi-threaded TLS/SSL client using
OpenSSL to write into freed memory, causing the client to crash or execute
arbitrary code. (CVE-2014-3509)

A flaw was found in the way OpenSSL handled fragmented handshake packets.
A man-in-the-middle attacker could use this flaw to force a TLS/SSL server
using OpenSSL to use TLS 1.0, even if both the client and the server
supported newer protocol versions. (CVE-2014-3511)

This update also fixes the following bugs:

  • Previously, various clipboard managers, operating on the client or on the

guest, would occasionally lose synchronization, which resulted in clipboard
data loss and the SPICE console freezing. Now, spice-gtk have been patched,
such that clipboard synchronization does not freeze the SPICE console
anymore. (BZ#1083489)

  • Prior to this update, when a SPICE console was launched from the Red Hat

Enterprise Virtualization User Portal with the 'Native Client' invocation
method and 'Open in Full Screen' selected, the displays of the guest
virtual machine were not always configured to match the client displays.
After this update, the SPICE console will show a full-screen guest display
for each client monitor. (BZ#1076243)

  • A difference in behavior between Linux and Windows clients caused an

extra nul character to be sent when pasting text in a guest machine from a
Windows client. This invisible character was visible in some Java
applications. With this update, the extra nul character is removed from
text strings and no more extraneous character would appear. (BZ#1090122)

  • Previously, If the clipboard is of type image/bmp, and the data is of 0

size, GTK+ will crash. With this update, the data size is checked first,
and GTK+ no longer crashes when clipboard is of type image/bmp, and the
data is of 0 size. (BZ#1090433)

  • Modifier-only key combinations cannot be registered by users as hotkeys

so if a user tries to set a modifier-only key sequence (for example,
'ctrl+alt') as the hotkey for releasing the cursor, it will fail, and the
user will be able to release the cursor from the window. With this update,
when a modifier-only hotkey is attempted to be registered, it will fall
back to the default cursor-release sequence (which happens to be
'ctrl+alt'). (BZ#985319)

  • Display configuration sometimes used outdated information about the

position of the remote-viewer windows in order to align and configure the
guest displays. Occasionally, this caused the guest displays to became
unexpectedly swapped when a window is resized. With this update,
remote-viewer will always use the current window locations to align
displays, rather than using a possibly outdated cached location
information. (BZ#1018182)

All rhevm-spice-client users are advised to upgrade to these updated
packages, which contain backported patches to correct these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Virtualization 3.5 x86_64

Fixes

  • BZ - 1018145 - --full-screen=auto-conf sometimes (but frequently) doesn't work correctly
  • BZ - 1018182 - primary monitor is switched if some screen gets bigger then current primary screen
  • BZ - 1076243 - [BUG] RHEV SPICE console not opening in full screen or detecting resolution by default
  • BZ - 1083489 - [SPICE][BUG] Spice session freezes randomly
  • BZ - 1090122 - Pasting into java apps inserts unprintable character
  • BZ - 1090433 - [GTK][BUG] win32: add more clipboard data checks to avoid crash
  • BZ - 1103366 - Rebase virt-viewer to 0.6.0
  • BZ - 1105650 - Fix windows productversion to fit -z releases
  • BZ - 1115445 - in About dialog, hyphen version-build dividing hyphen is missing
  • BZ - 1127498 - CVE-2014-3509 openssl: race condition in ssl_parse_serverhello_tlsext
  • BZ - 1127504 - CVE-2014-3511 openssl: TLS protocol downgrade attack

CVEs

  • CVE-2014-3511
  • CVE-2014-3509

References

  • https://access.redhat.com/security/updates/classification/#moderate
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization 3.5

SRPM
rhevm-spice-client-3.5-2.el6.src.rpm SHA-256: a171a4abc493ec3d1ae0dd6b136df72d1be9f79a947afdee57a665d6ad9a24aa
x86_64
rhevm-spice-client-x64-cab-3.5-2.el6.noarch.rpm SHA-256: 2eb2e4e4f54e29a97164ce77cda7eeec47e2ce90c0587cbd327d4a165e779d0b
rhevm-spice-client-x64-msi-3.5-2.el6.noarch.rpm SHA-256: e12adaf29b5fdd5c012bec9662f941126b4cb9d59d3e5e3cdb4ef16e3a016fb3
rhevm-spice-client-x86-cab-3.5-2.el6.noarch.rpm SHA-256: 30d075cfc0b692236853fc28e9b57dbcf6963e7e821263991f4fbb43672876b1
rhevm-spice-client-x86-msi-3.5-2.el6.noarch.rpm SHA-256: 958a78effacced3dca25e74faf58e90a19620401cbdf6c71dce62027f40b391a

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter