Red Hat Product Errata RHSA-2019:3179 - Security Advisory
Issued:
2019-10-22
Updated:
2019-10-22

RHSA-2019:3179 - Security Advisory

Synopsis

Important: qemu-kvm-rhev security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for qemu-kvm-rhev is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 and Red Hat Virtualization Engine 4.3.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.

Security Fix(es):

  • QEMU: slirp: heap buffer overflow during packet reassembly (CVE-2019-14378)
  • QEMU: qxl: null pointer dereference while releasing spice resources (CVE-2019-12155)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • ccid: Fix incorrect dwProtocol advertisement of T=0 (BZ#1729880)
  • QEMU gets stuck on resume/cont call from libvirt (BZ#1741937)
  • [v2v] Migration performance regression (BZ#1743322)
  • qemu, qemu-img fail to detect alignment with XFS and Gluster/XFS on 4k block device (BZ#1745443)
  • qemu-kvm: backport cpuidle-haltpoll support (BZ#1746282)
  • qemu aborts in blockCommit: qemu-kvm: block.c:3486 (BZ#1750322)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.

Affected Products

  • Red Hat Virtualization Manager 4.3 x86_64
  • Red Hat Virtualization 4 for RHEL 7 x86_64
  • Red Hat Virtualization for IBM Power LE 4 for RHEL 7 ppc64le

Fixes

  • BZ - 1712670 - CVE-2019-12155 QEMU: qxl: null pointer dereference while releasing spice resources
  • BZ - 1729880 - ccid: Fix incorrect dwProtocol advertisement of T=0 [rhel-7.7.z]
  • BZ - 1734745 - CVE-2019-14378 QEMU: slirp: heap buffer overflow during packet reassembly
  • BZ - 1743322 - [v2v] Migration performance regression [rhel-7.7.z]
  • BZ - 1745443 - qemu, qemu-img fail to detect alignment with XFS and Gluster/XFS on 4k block device [rhel-7.7.z]
  • BZ - 1746282 - qemu-kvm: backport cpuidle-haltpoll support [rhel-7.7.z]
  • BZ - 1750322 - qemu aborts in blockCommit: qemu-kvm: block.c:3486 [rhel-7.7.z]

Red Hat Virtualization Manager 4.3

SRPM
qemu-kvm-rhev-2.12.0-33.el7_7.4.src.rpm SHA-256: ba0c13ac5b28bdec4b10ca08025c4d61e8561f6a4241ece4ff877966ae78a1e1
x86_64
qemu-img-rhev-2.12.0-33.el7_7.4.x86_64.rpm SHA-256: 6dcfd61131829d65d91026ab28d0af97f8cd45001c82a782c86e19c1b62a3b43
qemu-kvm-common-rhev-2.12.0-33.el7_7.4.x86_64.rpm SHA-256: 752caa8486906e2a217f28b68815ecad62a01cf8e3529d141a8bc91ef611a2d6
qemu-kvm-rhev-2.12.0-33.el7_7.4.x86_64.rpm SHA-256: 6f370a1e0f7f306be7877d4b76aa16cd47db501f3dc8d6575577f9c8e87ea770
qemu-kvm-rhev-debuginfo-2.12.0-33.el7_7.4.x86_64.rpm SHA-256: 772aacd4b1cfb2df0ff60f9c050b9d1218880992db472b3d7c31ec3550fa02b9
qemu-kvm-tools-rhev-2.12.0-33.el7_7.4.x86_64.rpm SHA-256: af466cccf7b1d2b00f7147e2cfb87e9c48ca5fd29c08c0427cc920e7133e975d

Red Hat Virtualization 4 for RHEL 7

SRPM
qemu-kvm-rhev-2.12.0-33.el7_7.4.src.rpm SHA-256: ba0c13ac5b28bdec4b10ca08025c4d61e8561f6a4241ece4ff877966ae78a1e1
x86_64
qemu-img-rhev-2.12.0-33.el7_7.4.x86_64.rpm SHA-256: 6dcfd61131829d65d91026ab28d0af97f8cd45001c82a782c86e19c1b62a3b43
qemu-kvm-common-rhev-2.12.0-33.el7_7.4.x86_64.rpm SHA-256: 752caa8486906e2a217f28b68815ecad62a01cf8e3529d141a8bc91ef611a2d6
qemu-kvm-rhev-2.12.0-33.el7_7.4.x86_64.rpm SHA-256: 6f370a1e0f7f306be7877d4b76aa16cd47db501f3dc8d6575577f9c8e87ea770
qemu-kvm-rhev-debuginfo-2.12.0-33.el7_7.4.x86_64.rpm SHA-256: 772aacd4b1cfb2df0ff60f9c050b9d1218880992db472b3d7c31ec3550fa02b9
qemu-kvm-tools-rhev-2.12.0-33.el7_7.4.x86_64.rpm SHA-256: af466cccf7b1d2b00f7147e2cfb87e9c48ca5fd29c08c0427cc920e7133e975d

Red Hat Virtualization for IBM Power LE 4 for RHEL 7

SRPM
qemu-kvm-rhev-2.12.0-33.el7_7.4.src.rpm SHA-256: ba0c13ac5b28bdec4b10ca08025c4d61e8561f6a4241ece4ff877966ae78a1e1
ppc64le
qemu-img-rhev-2.12.0-33.el7_7.4.ppc64le.rpm SHA-256: c046da4005c4e79d17ed9540698fe295b709209192dbeb2d160459eb85e0533a
qemu-img-rhev-2.12.0-33.el7_7.4.ppc64le.rpm SHA-256: c046da4005c4e79d17ed9540698fe295b709209192dbeb2d160459eb85e0533a
qemu-kvm-common-rhev-2.12.0-33.el7_7.4.ppc64le.rpm SHA-256: 2e7edc6ecba3188b5e8e35bde1084da2049f65aadf381ab234fae1a3c504d7d3
qemu-kvm-common-rhev-2.12.0-33.el7_7.4.ppc64le.rpm SHA-256: 2e7edc6ecba3188b5e8e35bde1084da2049f65aadf381ab234fae1a3c504d7d3
qemu-kvm-rhev-2.12.0-33.el7_7.4.ppc64le.rpm SHA-256: e0de9198932eaee080428ae712964fff9447d3b079b47f9ee772088d06cf7363
qemu-kvm-rhev-2.12.0-33.el7_7.4.ppc64le.rpm SHA-256: e0de9198932eaee080428ae712964fff9447d3b079b47f9ee772088d06cf7363
qemu-kvm-rhev-debuginfo-2.12.0-33.el7_7.4.ppc64le.rpm SHA-256: e713c99ec70869934f4c092ff8072e2805a80724108d24b0705968ce59adb744
qemu-kvm-rhev-debuginfo-2.12.0-33.el7_7.4.ppc64le.rpm SHA-256: e713c99ec70869934f4c092ff8072e2805a80724108d24b0705968ce59adb744
qemu-kvm-tools-rhev-2.12.0-33.el7_7.4.ppc64le.rpm SHA-256: 485c26ce960a3910b69f39fef6095b890a23f92e0b4849bca4f552d8e32de0e3
qemu-kvm-tools-rhev-2.12.0-33.el7_7.4.ppc64le.rpm SHA-256: 485c26ce960a3910b69f39fef6095b890a23f92e0b4849bca4f552d8e32de0e3

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.