RHSA-2020:3247 - Security Advisory

Topic

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a VM Portal, and a Representational State Transfer (REST) Application Programming Interface (API).

A list of bugs fixed in this update is available in the Technical Notes
book:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

Security Fix(es):

• apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)
• libquartz: XXE attacks via job description (CVE-2019-13990)
• novnc: XSS vulnerability via the messages propagated to the status field (CVE-2017-18635)
• bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)
• nimbus-jose-jwt: Uncaught exceptions while parsing a JWT (CVE-2019-17195)
• ovirt-engine: response_type parameter allows reflected XSS (CVE-2019-19336)
• nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598)
• ovirt-engine: Redirect to arbitrary URL allows for phishing (CVE-2020-10775)
• Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
• jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/2974891

Affected Products

• Red Hat Virtualization Manager 4.4 x86_64

Fixes

• BZ - 1080097 - [RFE] Allow editing disks details in the Disks tab
• BZ - 1325468 - [RFE] Autostart of VMs that are down (with Engine assistance - Engine has to be up)
• BZ - 1358501 - [RFE] multihost network change - notify when done
• BZ - 1427717 - [RFE] Create and/or select affinity group upon VM creation.
• BZ - 1475774 - RHV-M requesting four GetDeviceListVDSCommand when editing storage domain
• BZ - 1507438 - not able to deploy new rhvh host when "/tmp" is mounted with "noexec" option
• BZ - 1523835 - Hosted-Engine: memory hotplug does not work for engine vm
• BZ - 1527843 - [Tracker] Q35 chipset support (with seabios)
• BZ - 1529042 - [RFE] Changing of Cluster CPU Type does not trigger config update notification
• BZ - 1535796 - Undeployment of HE is not graceful
• BZ - 1546838 - [RFE] Refuse to deploy on localhost.localdomain
• BZ - 1547937 - [RFE] Live Storage Migration progress bar.
• BZ - 1585986 - [HE] When lowering the cluster compatibility, we need to force update the HE storage OVF store to ensure it can start up (migration will not work).
• BZ - 1593800 - [RFE] forbid new mac pools with overlapping ranges
• BZ - 1596178 - inconsistent display between automatic and manual Pool Type
• BZ - 1600059 - [RFE] Add by default a storage lease to HA VMs
• BZ - 1610212 - After updating to RHV 4.1 while trying to edit the disk, getting error "Cannot edit Virtual Disk. Cannot edit Virtual Disk. Disk extension combined with disk compat version update isn't supported. Please perform the updates separately."
• BZ - 1611395 - Unable to list Compute Templates in RHV 4.2 from Satellite 6.3.2
• BZ - 1616451 - [UI] add a tooltip to explain the supported matrix for the combination of disk allocation policies, formats and the combination result
• BZ - 1637172 - Live Merge hung in the volume deletion phase, leaving snapshot in a LOCKED state
• BZ - 1640908 - Javascript Error popup when Managing StorageDomain with LUNs and 400+ paths
• BZ - 1642273 - [UI] - left nav border highlight missing in RHV
• BZ - 1647440 - [RFE][UI] Provide information about the VM next run
• BZ - 1648345 - Jobs are not properly cleaned after a failed task.
• BZ - 1650417 - HA is broken for VMs having disks in NFS storage domain because of Qemu OFD locking
• BZ - 1650505 - Increase of ClusterCompatibilityVersion to Cluster with virtual machines with outstanding configuration changes, those changes will be reverted
• BZ - 1651406 - [RFE] Allow Maintenance of Host with Enforcing VM Affinity Rules (hard affinity)
• BZ - 1651939 - a new size of the direct LUN not updated in Admin Portal
• BZ - 1654069 - [Downstream Clone] [UI] - grids bottom scrollbar hides bottom row
• BZ - 1654889 - [RFE] Support console VNC for mediated devices
• BZ - 1656621 - Importing VM OVA always enables 'Cloud-Init/Sysprep'
• BZ - 1658101 - [RESTAPI] Adding ISO disables serial console
• BZ - 1659161 - Unable to edit pool that is delete protected
• BZ - 1660071 - Regression in Migration of VM that starts in pause mode: took 11 hours
• BZ - 1660644 - Concurrent LSMs of the same disk can be issued via the REST-API
• BZ - 1663366 - USB selection option disabled even though USB support is enabled in RHV-4.2
• BZ - 1664479 - Third VM fails to get migrated when host is placed into maintenance mode
• BZ - 1666913 - [UI] warn users about different "Vdsm Name" when creating network with a fancy char or long name
• BZ - 1670102 - [CinderLib] - openstack-cinder and cinderlib packages are not installed on ovirt-engine machine
• BZ - 1671876 - "Bond Active Slave" parameter on RHV-M GUI shows an incorrect until Refresh Caps
• BZ - 1679039 - Unable to upload image through Storage->Domain->Disk because of wrong DC
• BZ - 1679110 - [RFE] change Admin Portal toast notifications location
• BZ - 1679471 - [ja, de, es, fr, pt_BR] The console client resources page shows truncated title for some locales
• BZ - 1679730 - Warn about host IP addresses outside range
• BZ - 1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
• BZ - 1686650 - Memory snapshots' deletion logging unnecessary WARNINGS in engine.log
• BZ - 1687345 - Snapshot with memory volumes can fail if the memory dump takes more than 180 seconds
• BZ - 1690026 - [RFE] - Creating an NFS storage domain the engine should let the user specify exact NFS version v4.0 and not just v4
• BZ - 1690155 - Disk migration progress bar not clearly visible and unusable.
• BZ - 1690475 - When a live storage migration fails, the auto generated snapshot does not get removed
• BZ - 1691562 - Cluster level changes are not increasing VMs generation numbers and so a new OVF_STORE content is not copied to the shared storage
• BZ - 1692592 - "Enable menu to select boot device shows 10 device listed with cdrom at 10th slot but when selecting 10 option the VM took 1 as option and boot with disk
• BZ - 1693628 - Engine generates too many updates to vm_dynamic table due to the session change
• BZ - 1693813 - Do not change DC level if there are VMs running/paused with older CL.
• BZ - 1695026 - Failure in creating snapshots during "Live Storage Migration" can result in a nonexistent snapshot
• BZ - 1695635 - [RFE] Improve Host Drop-down menu in different Dialogs (i.e. Alphabetical sort of Hosts in Remove|New StorageDomains)
• BZ - 1696245 - [RFE] Allow full customization while cloning a VM
• BZ - 1696669 - Build bouncycastle for RHV 4.4 RHEL 8
• BZ - 1696676 - Build ebay-cors-filter for RHV 4.4 RHEL 8
• BZ - 1698009 - Build openstack-java-sdk for RHV 4.4 RHEL 8
• BZ - 1698102 - Print a warning message to engine-setup, which highlights that other clusters than the Default one are not modified to use ovirt-provider-ovn as the default network provider
• BZ - 1700021 - [RFE] engine-setup should warn and prompt if ca.pem is missing but other generated pki files exist
• BZ - 1700036 - [RFE] Add RedFish API for host power management for RHEV
• BZ - 1700319 - VM is going to pause state with "storage I/O error".
• BZ - 1700338 - [RFE] Alternate method to configure the email Event Notifier for a user in RHV through API (instead of RHV GUI)
• BZ - 1700725 - [scale] RHV-M runs out of memory due to to much data reported by the guest agent
• BZ - 1700867 - Build makeself for RHV 4.4 RHEL 8
• BZ - 1701476 - Build unboundid-ldapsdk for RHV 4.4 RHEL 8
• BZ - 1701491 - Build RHV-M 4.4 - RHEL 8
• BZ - 1701522 - Build ovirt-imageio-proxy for RHV 4.4 / RHEL 8
• BZ - 1701528 - Build / Tag python-ovsdbapp for RHV 4.4 RHEL 8
• BZ - 1701530 - Build / Tag ovirt-cockpit-sso for RHV 4.4 RHEL 8
• BZ - 1701531 - Build / Tag ovirt-engine-api-explorer for RHV 4.4 RHEL 8
• BZ - 1701533 - Build / Tag ovirt-engine-dwh for RHV 4.4 / RHEL 8
• BZ - 1701538 - Build / Tag vdsm-jsonrpc-java for RHV 4.4 RHEL 8
• BZ - 1701544 - Build rhvm-dependencies for RHV 4.4 RHEL 8
• BZ - 1702310 - Build / Tag ovirt-engine-ui-extensions for RHV 4.4 RHEL 8
• BZ - 1702312 - Build ovirt-log-collector for RHV 4.4 RHEL 8
• BZ - 1703112 - PCI address of NICs are not stored in the database after a hotplug of passthrough NIC resulting in change of network device name in VM after a reboot
• BZ - 1703428 - VMs migrated from KVM to RHV show warning 'The latest guest agent needs to be installed and running on the guest'
• BZ - 1707225 - [cinderlib] Cinderlib DB is missing a backup and restore option
• BZ - 1708624 - Build rhvm-setup-plugins for RHV 4.4 - RHEL 8
• BZ - 1710491 - No EVENT_ID is generated in /var/log/ovirt-engine/engine.log when VM is rebooted from OS level itself.
• BZ - 1711006 - Metrics installation fails during the execution of playbook ovirt-metrics-store-installation if the environment is not having DHCP
• BZ - 1712255 - Drop 4.1 datacenter/cluster level
• BZ - 1712746 - [RFE] Ignition support for ovirt vms
• BZ - 1712890 - engine-setup should check for snapshots in unsupported CL
• BZ - 1714528 - Missing IDs on cluster upgrade buttons
• BZ - 1714633 - Using more than one asterisk in the search string is not working when searching for users.
• BZ - 1714834 - Cannot disable SCSI passthrough using API
• BZ - 1715725 - Sending credentials in query string logs them in ovirt-request-logs
• BZ - 1716590 - [RFE][UX] Make Cluster-wide "Custom serial number policy" value visible at VM level
• BZ - 1718818 - [RFE] Enhance local disk passthrough
• BZ - 1720686 - Tag ovirt-scheduler-proxy for RHV 4.4 RHEL 8
• BZ - 1720694 - Build ovirt-engine-extension-aaa-jdbc for RHV 4.4 RHEL 8
• BZ - 1720795 - New guest tools are available mark in case of guest tool located on Data Domain
• BZ - 1724959 - RHV recommends reporting issues to GitHub rather than access.redhat.com (ovirt->RHV rebrand glitch?)
• BZ - 1727025 - NPE in DestroyImage endAction during live merge leaving a task in DB for hours causing operations depending on host clean tasks to fail as Deactivate host/StopSPM/deactivate SD
• BZ - 1728472 - Engine reports network out of sync due to ipv6 default gateway via ND RA on a non default route network.
• BZ - 1729511 - engine-setup fails to upgrade to 4.3 with Unicode characters in CA subject
• BZ - 1729811 - [scale] updatevmdynamic broken if too many users logged in - psql ERROR: value too long for type character varying(255)
• BZ - 1730264 - VMs will fail to start if the vnic profile attached is having port mirroring enabled and have name greater than 15 characters
• BZ - 1730436 - Snapshot creation was successful, but snapshot remains locked
• BZ - 1731212 - RHV 4.4 landing page does not show login or allow scrolling.
• BZ - 1731590 - Cannot preview snapshot, it fails and VM remains locked.
• BZ - 1733031 - [RFE] Add warning when importing data domains to newer DC that may trigger SD format upgrade
• BZ - 1733529 - Consume python-ovsdbapp dependencies from OSP in RHEL 8 RHV 4.4
• BZ - 1733843 - Export to OVA fails if VM is running on the Host doing the export
• BZ - 1734839 - Unable to start guests in our Power9 cluster without running in headless mode.
• BZ - 1737234 - Attach a non-existent ISO to vm by the API return 201 and marks the Attach CD checkbox as ON
• BZ - 1737684 - Engine deletes the leaf volume when SnapshotVDSCommand timed out without checking if the volume is still used by the VM
• BZ - 1740978 - [RFE] Warn or Block importing VMs/Templates from unsupported compatibility levels.
• BZ - 1741102 - host activation causes RHHI nodes to lose the quorum
• BZ - 1741271 - Move/Copy disk are blocked if there is less space in source SD than the size of the disk
• BZ - 1741625 - VM fails to be re-started with error: Failed to acquire lock: No space left on device
• BZ - 1743690 - Commit and Undo buttons active when no snapshot selected
• BZ - 1744557 - RHV 4.3 throws an exception when trying to access VMs which have snapshots from unsupported compatibility levels
• BZ - 1745384 - [IPv6 Static] Engine should allow updating network's static ipv6gateway
• BZ - 1745504 - Tag rhv-log-collector-analyzer for RHV 4.4 RHEL 8
• BZ - 1746272 - [BREW BUILD ENABLER] Build the oVirt Ansible roles for RHV 4.4.0
• BZ - 1746430 - [Rebase] Rebase v2v-conversion-host for RHV 4.4 Engine
• BZ - 1746877 - [Metrics] Rebase bug - for the 4.4 release on EL8
• BZ - 1747772 - Extra white space at the top of webadmin dialogs
• BZ - 1749284 - Change the Snapshot operation to be asynchronous
• BZ - 1749944 - teardownImage attempts to deactivate in-use LV's rendering the VM disk image/volumes in locked state.
• BZ - 1750212 - MERGE_STATUS fails with 'Invalid UUID string: mapper' when Direct LUN that already exists is hot-plugged
• BZ - 1750348 - [Tracking] rhvm-branding-rhv for RHV 4.4
• BZ - 1750357 - [Tracking] ovirt-web-ui for RHV 4.4
• BZ - 1750371 - [Tracking] ovirt-engine-ui-extensions for RHV 4.4
• BZ - 1750482 - From VM Portal, users cannot create Operating System Windows VM.
• BZ - 1751215 - Unable to change Graphical Console of HE VM.
• BZ - 1751268 - add links to Insights to landing page
• BZ - 1751423 - Improve description of shared memory statistics and remove unimplemented memory metrics from API
• BZ - 1752890 - Build / Tag ovirt-engine-extension-aaa-ldap for RHV 4.4 RHEL 8
• BZ - 1752995 - [RFE] Need to be able to set default console option
• BZ - 1753629 - Build / Tag ovirt-engine-extension-aaa-misc for RHV 4.4 RHEL 8
• BZ - 1753661 - Build / Tag ovirt-engine-extension-logger-log4j got RHV 4.4 / RHEl 8
• BZ - 1753664 - Build ovirt-fast-forward-upgrade for RHV 4.4 /RHEL 8 support
• BZ - 1754363 - [Scale] Engine generates excessive amount of dns configuration related sql queries
• BZ - 1754490 - RHV Manager cannot start on EAP 7.2.4
• BZ - 1755412 - Setting "oreg_url: registry.redhat.io" fails with error
• BZ - 1758048 - clone(as thin) VM from template or create snapshot fails with 'Requested capacity 1073741824 < parent capacity 3221225472 (volume:1211)'
• BZ - 1758289 - [Warn] Duplicate chassis entries in southbound database if the host is down while removing the host from Manager
• BZ - 1762281 - Import of OVA created from template fails with java.lang.NullPointerException
• BZ - 1763992 - [RFE] Show "Open Console" as the main option in the VM actions menu
• BZ - 1764289 - Document details how each fence agent can be configured in RESTAPI
• BZ - 1764791 - CVE-2019-17195 nimbus-jose-jwt: Uncaught exceptions while parsing a JWT
• BZ - 1764932 - [BREW BUILD ENABLER] Build the ansible-runner-service for RHV 4.4
• BZ - 1764943 - Create Snapshot does not proceed beyond CreateVolume
• BZ - 1764959 - Apache is configured to offer TRACE method (security)
• BZ - 1765660 - CVE-2017-18635 novnc: XSS vulnerability via the messages propagated to the status field
• BZ - 1767319 - [RFE] forbid updating mac pool that contains ranges overlapping with any mac range in the system
• BZ - 1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
• BZ - 1768707 - Cannot set or update iscsi portal group tag when editing storage connection via API
• BZ - 1768844 - RHEL Advanced virtualization module streams support
• BZ - 1769463 - [Scale] Slow performance for api/clusters when many networks devices are present
• BZ - 1770237 - Cannot assign a vNIC profile for VM instance profile.
• BZ - 1771793 - VM Portal crashes in what appears to be a permission related problem.
• BZ - 1773313 - RHV Metric store installation fails with error: "You need to install \"jmespath\" prior to running json_query filter"
• BZ - 1777954 - VM Templates greater then 101 quantity are not listed/reported in RHV-M Webadmin UI.
• BZ - 1779580 - drop rhvm-doc package
• BZ - 1781001 - CVE-2019-19336 ovirt-engine: response_type parameter allows reflected XSS
• BZ - 1782236 - Windows Update (the drivers) enablement
• BZ - 1782279 - Warning message for low space is not received on Imported Storage domain
• BZ - 1782882 - qemu-kvm: kvm_init_vcpu failed: Function not implemented
• BZ - 1784049 - Rhel6 guest with cluster default q35 chipset causes kernel panic
• BZ - 1784385 - Still requiring rhvm-doc in rhvm-setup-plugins
• BZ - 1785750 - [RFE] Ability to change default VM action (Suspend) in the VM Portal.
• BZ - 1788424 - Importing a VM having direct LUN attached using virtio driver is failing with error "VirtIO-SCSI is disabled for the VM"
• BZ - 1796809 - Build apache-sshd for RHV 4.4 RHEL 8
• BZ - 1796811 - Remove bundled apache-sshd library
• BZ - 1796815 - Build snmp4j for RHV 4.4 RHEL 8
• BZ - 1796817 - Remove bundled snmp4j library
• BZ - 1797316 - Snapshot creation from VM fails on second snapshot and afterwords
• BZ - 1797500 - Add disk operation failed to complete.
• BZ - 1798114 - Build apache-commons-digester for RHV 4.4 RHEL 8
• BZ - 1798117 - Build apache-commons-configuration for RHV 4.4 RHEL 8
• BZ - 1798120 - Build apache-commons-jexl for RHV 4.4 RHEL 8
• BZ - 1798127 - Build apache-commons-collections4 for RHV 4.4 RHEL 8
• BZ - 1798137 - Build apache-commons-vfs for RHV 4.4 RHEL 8
• BZ - 1799171 - Build ws-commons-util for RHV 4.4 RHEL 8
• BZ - 1799204 - Build xmlrpc for RHV 4.4 RHEL 8
• BZ - 1801149 - CVE-2019-13990 libquartz: XXE attacks via job description
• BZ - 1801709 - Disable activation of the host while Enroll certificate flow is still in progress
• BZ - 1803597 - rhv-image-discrepancies should skip storage domains in maintenance mode and ISO/Export
• BZ - 1805669 - change requirement on rhvm package from spice-client-msi to spice-client-win
• BZ - 1806276 - [HE] ovirt-provider-ovn is non-functional on 4.3.9 Hosted-Engine
• BZ - 1807047 - Build m2crypto for RHV 4.4 RHEL 8
• BZ - 1807860 - [RFE] Allow resource allocation options to be customized
• BZ - 1808096 - Uploading ISOs causes "Uncaught exception occurred. Please try reloading the page. Details: (TypeError) : a.n is null"
• BZ - 1808126 - host_service.install() does not work with deploy_hosted_engine as True.
• BZ - 1809040 - [CNV&RHV] let the user know that token is not valid anymore
• BZ - 1809052 - [CNV&RHV] ovirt-engine log file spammed by failed timers ( approx 3-5 messages/sec )
• BZ - 1809875 - rhv-image-discrepancies only compares images on the last DC
• BZ - 1809877 - rhv-image-discrepancies sends dump-volume-chains with parameter that is ignored
• BZ - 1810893 - mountOptions is ignored for "import storage domain" from GUI
• BZ - 1811865 - [Scale] Host Monitoring generates excessive amount of qos related sql queries
• BZ - 1811869 - [Scale] Webadmin\REST for host interface list response time is too long because of excessive amount of qos related sql queries
• BZ - 1812875 - Unable to create VMs when french Language is selected for the rhvm gui.
• BZ - 1813305 - Engine updating SLA policies of VMs continuously in an environment which is not having any QOS configured
• BZ - 1813344 - CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload
• BZ - 1814197 - [CNV&RHV] when provider is remover DC is left behind and active
• BZ - 1814215 - [CNV&RHV] Adding new provider to engine fails after succesfull test
• BZ - 1816017 - Build log4j12 for RHV 4.4 EL8
• BZ - 1816643 - [CNV&RHV] VM created in CNV not visible in RHV
• BZ - 1816654 - [CNV&RHV] adding provider with already created vm failed
• BZ - 1816693 - [CNV&RHV] CNV VM failed to restart even if 1st dialog looks fine
• BZ - 1816739 - [CNV&RHV] CNV VM updated form CNV side doesn't update vm properties over on RHV side
• BZ - 1817467 - [Tracking] Migration path between RHV 4.3 and 4.4
• BZ - 1818745 - rhv-log-collector-analyzer 0.2.17 still requires pyhton2
• BZ - 1819201 - [CodeChange][i18n] oVirt 4.4 rhv branding - translation update
• BZ - 1819248 - Cannot upgrade host after engine setup
• BZ - 1819514 - Failed to register 4.4 host to the latest engine (4.4.0-0.29.master.el8ev)
• BZ - 1819960 - NPE on ImportVmTemplateFromConfigurationCommand when creating VM from ovf_data
• BZ - 1820621 - Build apache-commons-compress for RHV 4.4 EL8
• BZ - 1820638 - Build apache-commons-jxpath for RHV 4.4 EL8
• BZ - 1821164 - Failed snapshot creation can cause data corruption of other VMs
• BZ - 1821930 - Enable only TLSv1.2+ protocol for SPICE on EL7 hosts
• BZ - 1824095 - VM portal shows only error
• BZ - 1825793 - RHV branding is missing after upgrade from 4.3
• BZ - 1826248 - [4.4][ovirt-cockpit-sso] Compatibility issues with python3
• BZ - 1826437 - The console client resources page return HTTP code 500
• BZ - 1826801 - [CNV&RHV] update of memory on cnv side does not propagate to rhv
• BZ - 1826855 - [cnv&rhv] update of cpu on cnv side causing expetion in engine.log
• BZ - 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
• BZ - 1828669 - After SPM select the engine lost communication to all hosts until restarted [improved logging]
• BZ - 1828736 - [CNV&RHV] cnv template is not propagated to rhv
• BZ - 1829189 - engine-setup httpd ssl configuration conflicts with Red Hat Insights
• BZ - 1829656 - Failed to register 4.3 host to 4.4 engine with 4.3 cluster (4.4.0-0.33.master.el8ev)
• BZ - 1829830 - vhost custom properties does not accept '-'
• BZ - 1832161 - rhv-log-collector-analyzer fails with UnicodeDecodeError on RHEL8
• BZ - 1834523 - Edit VM -> Enable Smartcard sharing does not stick when VM is running
• BZ - 1838493 - Live snapshot made with freeze in the engine will cause the FS to be frozen
• BZ - 1841495 - Upgrade openstack-java-sdk to 3.2.9
• BZ - 1842495 - high cpu usage after entering wrong search pattern in RHVM
• BZ - 1844270 - [vGPU] nodisplay option for mdev broken since mdev scheduling unit
• BZ - 1844855 - Missing images (favicon.ico, banner logo) and missing brand.css file on VM portal d/s installation
• BZ - 1845473 - Exporting an OVA file from a VM results in its ovf file having a format of RAW when the disk is COW
• BZ - 1847420 - CVE-2020-10775 ovirt-engine: Redirect to arbitrary URL allows for phishing
• BZ - 1850004 - CVE-2020-11023 jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution
• BZ - 1853444 - [CodeChange][i18n] oVirt 4.4 rhv branding - translation update (July-2020)
• BZ - 1854563 - [4.4 downstream only][RFE] Include a link to grafana on front page

CVEs

• CVE-2017-18635
• CVE-2019-8331
• CVE-2019-10086
• CVE-2019-13990
• CVE-2019-19336
• CVE-2020-7598
• CVE-2020-10775
• CVE-2020-11022
• CVE-2020-11023

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html-single/technical_notes