Red Hat Product Errata RHSA-2019:0457 - Security Advisory

Issued:: 2019-03-05
Updated:: 2019-03-05

RHSA-2019:0457 - Security Advisory

Overview
Updated Packages

Synopsis

Important: redhat-virtualization-host security update

Type/Severity

Security Advisory: Important

Topic

An update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.

The following packages have been upgraded to a later upstream version: redhat-release-virtualization-host (4.2), redhat-virtualization-host (4.2). (BZ#1678629, BZ#1679414)

Security Fix(es):

spice: Off-by-one error in array access in spice/server/memslot.c (CVE-2019-3813)
systemd: Insufficient input validation in bus_process_object() resulting in PID 1 crash (CVE-2019-6454)
vdsm: privilege escalation to root via systemd_run (CVE-2019-3831)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

Red Hat Virtualization 4 for RHEL 7 x86_64
Red Hat Virtualization Host 4 x86_64

Fixes

BZ - 1665371 - CVE-2019-3813 spice: Off-by-one error in array access in spice/server/memslot.c
BZ - 1667032 - CVE-2019-6454 systemd: Insufficient input validation in bus_process_object() resulting in PID 1 crash
BZ - 1677108 - CVE-2019-3831 vdsm: privilege escalation to root via systemd_run
BZ - 1677667 - Tracker for RHV-H 4.2.8 Async #3

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization 4 for RHEL 7

SRPM
redhat-release-virtualization-host-4.2-8.3.el7.src.rpm	SHA-256: 37fdc106a8afe31f9fa64dde48eef8ad445db73695476b5dafcf695e862c4b39
x86_64
redhat-release-virtualization-host-4.2-8.3.el7.x86_64.rpm	SHA-256: e26252cff4a82ebe00aa8911f9a93ed43b6c25566e13277bbb07371fbc0fbb13
redhat-virtualization-host-image-update-placeholder-4.2-8.3.el7.noarch.rpm	SHA-256: 33e98d332b7c665127c14074bccacfc595de8c45985fe73c7e0c0d4dea866e13

Red Hat Virtualization Host 4

SRPM
redhat-virtualization-host-4.2-20190219.0.el7_6.src.rpm	SHA-256: 3194179b6cd9579568db1d76e57c0458b0471b5818b2c5cb65cf493b1a487b09
x86_64
redhat-virtualization-host-image-update-4.2-20190219.0.el7_6.noarch.rpm	SHA-256: 4120bb0e4e5c4839177a970dd16313195ad8e4cb5379638985170a2bb54092c7

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories