Red Hat Product Errata RHSA-2017:0988 - Security Advisory

Issued:: 2017-04-18
Updated:: 2017-04-18

RHSA-2017:0988 - Security Advisory

Overview
Updated Packages

Synopsis

Important: qemu-kvm-rhev security update

Type/Severity

Security Advisory: Important

Topic

An update for qemu-kvm-rhev is now available for Red Hat OpenStack Platform 10.0 (Newton).

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.

Security Fix(es):

Quick Emulator (QEMU), built with the Cirrus CLGD 54xx VGA Emulator and the VNC display driver support, is vulnerable to a heap buffer overflow issue. The issue could occur when a VNC client attempts to update its display after a VGA operation is performed by a guest. A privileged user/process inside guest could use this flaw to crash the QEMU process resulting in DoS or, potentially, leverage it to execute arbitrary code on the host with privileges of the QEMU process. (CVE-2016-9603)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.

Affected Products

Red Hat OpenStack 10 x86_64

Fixes

BZ - 1430056 - CVE-2016-9603 Qemu: cirrus: heap buffer overflow via vnc connection

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 10

SRPM
qemu-kvm-rhev-2.6.0-28.el7_3.9.src.rpm	SHA-256: 3674af01637627a31d434247c513c76ec8f65707e1249f675614ef031f9fbb30
x86_64
qemu-img-rhev-2.6.0-28.el7_3.9.x86_64.rpm	SHA-256: 2ca945b22de39de5c7d7546cd26632cb2930aed95ddab5d8244ee9a4b090f403
qemu-kvm-common-rhev-2.6.0-28.el7_3.9.x86_64.rpm	SHA-256: 2a8e3c5a13008d7bda37c11345fded1583b794ea6edfb29b09375bb0bfd541f5
qemu-kvm-rhev-2.6.0-28.el7_3.9.x86_64.rpm	SHA-256: 937cf6453957ae26fee902b6cdfd7cc1b01793ada0b55446a2d59723a448fd96
qemu-kvm-rhev-debuginfo-2.6.0-28.el7_3.9.x86_64.rpm	SHA-256: 8ffb80072ccc66f506a40c3ce1dc17f575ca6770c65b03972c88bbb6a05ed003
qemu-kvm-tools-rhev-2.6.0-28.el7_3.9.x86_64.rpm	SHA-256: 65f3f3eb40cf3911a906058a4296eb6cc8d44f9147486bdc867d29895a0ea807

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories