Issued:: 2020-06-01
Updated:: 2020-06-01

RHSA-2020:2342 - Security Advisory

Overview
Updated Packages

Synopsis

Important: qemu-kvm-rhev bug fix update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for qemu-kvm-rhev is now available for Red Hat Virtualization for Red Hat Virtualization Host 7.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.

Security Fix(es):

CVE-2020-8608 QEMU: Slirp: potential OOB access due to unsafe snprintf() usages
CVE-2020-7039 QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu()
CVE-2019-14378 QEMU: slirp: heap buffer overflow during packet reassembly

This update fixes the following bug:

BZ 1804577 Backport: Passthrough host CPU microcode version to KVM guest if using CPU passthrough to RHEL 7.7/7.8 [rhel-7.6.z]

Users of qemu-kvm are advised to upgrade to these updated packages. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/2974891

Affected Products

Red Hat Virtualization Manager 4.2 x86_64

Fixes

BZ - 1734745 - CVE-2019-14378 QEMU: slirp: heap buffer overflow during packet reassembly
BZ - 1791551 - CVE-2020-7039 QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu()
BZ - 1798453 - CVE-2020-8608 QEMU: Slirp: potential OOB access due to unsafe snprintf() usages
BZ - 1804577 - Backport: Passthrough host CPU microcode version to KVM guest if using CPU passthrough to RHEL 7.7/7.8 [rhel-7.6.z]

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization Manager 4.2

SRPM
qemu-kvm-rhev-2.12.0-18.el7_6.11.src.rpm	SHA-256: 469e0f2aaf118354a235f7d77bcfabb433ea3b114430dbadfb7b29f9e3b8137a
x86_64
qemu-img-rhev-2.12.0-18.el7_6.11.x86_64.rpm	SHA-256: fd9eed4b6f65c01b8a856518c29dc63df38b8eea99778a1f97a48e1ebdbb84f3
qemu-kvm-common-rhev-2.12.0-18.el7_6.11.x86_64.rpm	SHA-256: 064ef0d168102418fb9310718ebf58b851e51449962fd98db807dae5213156ac
qemu-kvm-rhev-2.12.0-18.el7_6.11.x86_64.rpm	SHA-256: 5ac52ba4d8e30a9a7f618b6bba84b48d2a268ace0a91843c56f30f70d71bbf3d
qemu-kvm-rhev-debuginfo-2.12.0-18.el7_6.11.x86_64.rpm	SHA-256: 5b1aaeb79583247dff93050152b3d47c5e01233b03778e93fb8942e95c5e91d7
qemu-kvm-tools-rhev-2.12.0-18.el7_6.11.x86_64.rpm	SHA-256: 2a8ef1542ba0b2110dc9c5c74b24a3c9541ab2e8f8d101d171b0e8073b662fde

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation