Red Hat Security Advisory: rhev-3.1.0 vdsm security, bug fix, and enhancement update Security Advisory secalert@redhat.com Red Hat Security Response Team RHSA-2012:1508 Final 1 1 2012-12-04T18:43:00Z Current version 2012-12-04T18:43:00Z 2012-12-04T18:43:00Z Red Hat rhsa-to-cvrf 1.0.1484 2012-12-04T19:13:01Z Updated vdsm packages are now available for Red Hat Enterprise Linux 6.3. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. VDSM is a management module that serves as a Red Hat Enterprise Virtualization Manager agent on Red Hat Enterprise Virtualization Hypervisor or Red Hat Enterprise Linux 6.3 hosts. A flaw was found in the way Red Hat Enterprise Linux hosts were added to the Red Hat Enterprise Virtualization environment. The Python scripts needed to configure the host for Red Hat Enterprise Virtualization were stored in the "/tmp/" directory and could be pre-created by an attacker. A local, unprivileged user on the host to be added to the Red Hat Enterprise Virtualization environment could use this flaw to escalate their privileges. This update provides the VDSM part of the fix. The RHSA-2012:1506 Red Hat Enterprise Virtualization Manager update must also be installed to completely fix this issue. (CVE-2012-0860) A flaw was found in the way Red Hat Enterprise Linux and Red Hat Enterprise Virtualization Hypervisor hosts were added to the Red Hat Enterprise Virtualization environment. The Python scripts needed to configure the host for Red Hat Enterprise Virtualization were downloaded in an insecure way, that is, without properly validating SSL certificates during HTTPS connections. An attacker on the local network could use this flaw to conduct a man-in-the-middle attack, potentially gaining root access to the host being added to the Red Hat Enterprise Virtualization environment. This update provides the VDSM part of the fix. The RHSA-2012:1506 Red Hat Enterprise Virtualization Manager update must also be installed to completely fix this issue. (CVE-2012-0861) The CVE-2012-0860 and CVE-2012-0861 issues were discovered by Red Hat. In addition to resolving the above security issues these updated VDSM packages fix various bugs, and add various enhancements. Documentation for these bug fixes and enhancements is available in the Technical Notes: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Virtualization/3.1/html/Technical_Notes/index.html All users who require VDSM are advised to install these updated packages which resolve these security issues, fix these bugs, and add these enhancements. Please see https://www.redhat.com/footer/terms-of-use.html Copyright © 2012 Red Hat, Inc. All rights reserved. Important https://rhn.redhat.com/errata/RHSA-2012-1508.html https://rhn.redhat.com/errata/RHSA-2012-1508.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Virtualization/3.1/html/Technical_Notes/index.html https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Virtualization/3.1/html/Technical_Notes/index.html https://bugzilla.redhat.com/show_bug.cgi?id=734847 https://bugzilla.redhat.com/show_bug.cgi?id=734847 https://bugzilla.redhat.com/show_bug.cgi?id=744704 https://bugzilla.redhat.com/show_bug.cgi?id=744704 https://bugzilla.redhat.com/show_bug.cgi?id=772556 https://bugzilla.redhat.com/show_bug.cgi?id=772556 https://bugzilla.redhat.com/show_bug.cgi?id=783383 https://bugzilla.redhat.com/show_bug.cgi?id=783383 https://bugzilla.redhat.com/show_bug.cgi?id=797526 https://bugzilla.redhat.com/show_bug.cgi?id=797526 https://bugzilla.redhat.com/show_bug.cgi?id=798635 https://bugzilla.redhat.com/show_bug.cgi?id=798635 https://bugzilla.redhat.com/show_bug.cgi?id=800367 https://bugzilla.redhat.com/show_bug.cgi?id=800367 https://bugzilla.redhat.com/show_bug.cgi?id=802759 https://bugzilla.redhat.com/show_bug.cgi?id=802759 https://bugzilla.redhat.com/show_bug.cgi?id=806625 https://bugzilla.redhat.com/show_bug.cgi?id=806625 https://bugzilla.redhat.com/show_bug.cgi?id=806757 https://bugzilla.redhat.com/show_bug.cgi?id=806757 https://bugzilla.redhat.com/show_bug.cgi?id=807351 https://bugzilla.redhat.com/show_bug.cgi?id=807351 https://bugzilla.redhat.com/show_bug.cgi?id=807687 https://bugzilla.redhat.com/show_bug.cgi?id=807687 https://bugzilla.redhat.com/show_bug.cgi?id=812793 https://bugzilla.redhat.com/show_bug.cgi?id=812793 https://bugzilla.redhat.com/show_bug.cgi?id=813423 https://bugzilla.redhat.com/show_bug.cgi?id=813423 https://bugzilla.redhat.com/show_bug.cgi?id=814435 https://bugzilla.redhat.com/show_bug.cgi?id=814435 https://bugzilla.redhat.com/show_bug.cgi?id=815359 https://bugzilla.redhat.com/show_bug.cgi?id=815359 https://bugzilla.redhat.com/show_bug.cgi?id=826467 https://bugzilla.redhat.com/show_bug.cgi?id=826467 https://bugzilla.redhat.com/show_bug.cgi?id=826873 https://bugzilla.redhat.com/show_bug.cgi?id=826873 https://bugzilla.redhat.com/show_bug.cgi?id=826921 https://bugzilla.redhat.com/show_bug.cgi?id=826921 https://bugzilla.redhat.com/show_bug.cgi?id=829037 https://bugzilla.redhat.com/show_bug.cgi?id=829037 https://bugzilla.redhat.com/show_bug.cgi?id=829645 https://bugzilla.redhat.com/show_bug.cgi?id=829645 https://bugzilla.redhat.com/show_bug.cgi?id=829710 https://bugzilla.redhat.com/show_bug.cgi?id=829710 https://bugzilla.redhat.com/show_bug.cgi?id=830485 https://bugzilla.redhat.com/show_bug.cgi?id=830485 https://bugzilla.redhat.com/show_bug.cgi?id=830486 https://bugzilla.redhat.com/show_bug.cgi?id=830486 https://bugzilla.redhat.com/show_bug.cgi?id=831528 https://bugzilla.redhat.com/show_bug.cgi?id=831528 https://bugzilla.redhat.com/show_bug.cgi?id=832765 https://bugzilla.redhat.com/show_bug.cgi?id=832765 https://bugzilla.redhat.com/show_bug.cgi?id=832798 https://bugzilla.redhat.com/show_bug.cgi?id=832798 https://bugzilla.redhat.com/show_bug.cgi?id=833084 https://bugzilla.redhat.com/show_bug.cgi?id=833084 https://bugzilla.redhat.com/show_bug.cgi?id=833099 https://bugzilla.redhat.com/show_bug.cgi?id=833099 https://bugzilla.redhat.com/show_bug.cgi?id=833119 https://bugzilla.redhat.com/show_bug.cgi?id=833119 https://bugzilla.redhat.com/show_bug.cgi?id=833425 https://bugzilla.redhat.com/show_bug.cgi?id=833425 https://bugzilla.redhat.com/show_bug.cgi?id=833803 https://bugzilla.redhat.com/show_bug.cgi?id=833803 https://bugzilla.redhat.com/show_bug.cgi?id=834008 https://bugzilla.redhat.com/show_bug.cgi?id=834008 https://bugzilla.redhat.com/show_bug.cgi?id=834105 https://bugzilla.redhat.com/show_bug.cgi?id=834105 https://bugzilla.redhat.com/show_bug.cgi?id=834205 https://bugzilla.redhat.com/show_bug.cgi?id=834205 https://bugzilla.redhat.com/show_bug.cgi?id=835478 https://bugzilla.redhat.com/show_bug.cgi?id=835478 https://bugzilla.redhat.com/show_bug.cgi?id=835784 https://bugzilla.redhat.com/show_bug.cgi?id=835784 https://bugzilla.redhat.com/show_bug.cgi?id=835900 https://bugzilla.redhat.com/show_bug.cgi?id=835900 https://bugzilla.redhat.com/show_bug.cgi?id=835920 https://bugzilla.redhat.com/show_bug.cgi?id=835920 https://bugzilla.redhat.com/show_bug.cgi?id=836161 https://bugzilla.redhat.com/show_bug.cgi?id=836161 https://bugzilla.redhat.com/show_bug.cgi?id=836562 https://bugzilla.redhat.com/show_bug.cgi?id=836562 https://bugzilla.redhat.com/show_bug.cgi?id=836954 https://bugzilla.redhat.com/show_bug.cgi?id=836954 https://bugzilla.redhat.com/show_bug.cgi?id=837054 https://bugzilla.redhat.com/show_bug.cgi?id=837054 https://bugzilla.redhat.com/show_bug.cgi?id=837836 https://bugzilla.redhat.com/show_bug.cgi?id=837836 https://bugzilla.redhat.com/show_bug.cgi?id=838347 https://bugzilla.redhat.com/show_bug.cgi?id=838347 https://bugzilla.redhat.com/show_bug.cgi?id=838547 https://bugzilla.redhat.com/show_bug.cgi?id=838547 https://bugzilla.redhat.com/show_bug.cgi?id=838802 https://bugzilla.redhat.com/show_bug.cgi?id=838802 https://bugzilla.redhat.com/show_bug.cgi?id=838924 https://bugzilla.redhat.com/show_bug.cgi?id=838924 https://bugzilla.redhat.com/show_bug.cgi?id=840294 https://bugzilla.redhat.com/show_bug.cgi?id=840294 https://bugzilla.redhat.com/show_bug.cgi?id=840300 https://bugzilla.redhat.com/show_bug.cgi?id=840300 https://bugzilla.redhat.com/show_bug.cgi?id=840386 https://bugzilla.redhat.com/show_bug.cgi?id=840386 https://bugzilla.redhat.com/show_bug.cgi?id=840594 https://bugzilla.redhat.com/show_bug.cgi?id=840594 https://bugzilla.redhat.com/show_bug.cgi?id=841863 https://bugzilla.redhat.com/show_bug.cgi?id=841863 https://bugzilla.redhat.com/show_bug.cgi?id=842115 https://bugzilla.redhat.com/show_bug.cgi?id=842115 https://bugzilla.redhat.com/show_bug.cgi?id=842146 https://bugzilla.redhat.com/show_bug.cgi?id=842146 https://bugzilla.redhat.com/show_bug.cgi?id=842338 https://bugzilla.redhat.com/show_bug.cgi?id=842338 https://bugzilla.redhat.com/show_bug.cgi?id=842662 https://bugzilla.redhat.com/show_bug.cgi?id=842662 https://bugzilla.redhat.com/show_bug.cgi?id=842771 https://bugzilla.redhat.com/show_bug.cgi?id=842771 https://bugzilla.redhat.com/show_bug.cgi?id=843076 https://bugzilla.redhat.com/show_bug.cgi?id=843076 https://bugzilla.redhat.com/show_bug.cgi?id=843387 https://bugzilla.redhat.com/show_bug.cgi?id=843387 https://bugzilla.redhat.com/show_bug.cgi?id=843498 https://bugzilla.redhat.com/show_bug.cgi?id=843498 https://bugzilla.redhat.com/show_bug.cgi?id=844180 https://bugzilla.redhat.com/show_bug.cgi?id=844180 https://bugzilla.redhat.com/show_bug.cgi?id=844294 https://bugzilla.redhat.com/show_bug.cgi?id=844294 https://bugzilla.redhat.com/show_bug.cgi?id=844347 https://bugzilla.redhat.com/show_bug.cgi?id=844347 https://bugzilla.redhat.com/show_bug.cgi?id=845193 https://bugzilla.redhat.com/show_bug.cgi?id=845193 https://bugzilla.redhat.com/show_bug.cgi?id=845346 https://bugzilla.redhat.com/show_bug.cgi?id=845346 https://bugzilla.redhat.com/show_bug.cgi?id=845525 https://bugzilla.redhat.com/show_bug.cgi?id=845525 https://bugzilla.redhat.com/show_bug.cgi?id=845830 https://bugzilla.redhat.com/show_bug.cgi?id=845830 https://bugzilla.redhat.com/show_bug.cgi?id=846004 https://bugzilla.redhat.com/show_bug.cgi?id=846004 https://bugzilla.redhat.com/show_bug.cgi?id=846014 https://bugzilla.redhat.com/show_bug.cgi?id=846014 https://bugzilla.redhat.com/show_bug.cgi?id=846307 https://bugzilla.redhat.com/show_bug.cgi?id=846307 https://bugzilla.redhat.com/show_bug.cgi?id=846312 https://bugzilla.redhat.com/show_bug.cgi?id=846312 https://bugzilla.redhat.com/show_bug.cgi?id=846323 https://bugzilla.redhat.com/show_bug.cgi?id=846323 https://bugzilla.redhat.com/show_bug.cgi?id=846376 https://bugzilla.redhat.com/show_bug.cgi?id=846376 https://bugzilla.redhat.com/show_bug.cgi?id=847518 https://bugzilla.redhat.com/show_bug.cgi?id=847518 https://bugzilla.redhat.com/show_bug.cgi?id=847733 https://bugzilla.redhat.com/show_bug.cgi?id=847733 https://bugzilla.redhat.com/show_bug.cgi?id=847744 https://bugzilla.redhat.com/show_bug.cgi?id=847744 https://bugzilla.redhat.com/show_bug.cgi?id=848101 https://bugzilla.redhat.com/show_bug.cgi?id=848101 https://bugzilla.redhat.com/show_bug.cgi?id=848299 https://bugzilla.redhat.com/show_bug.cgi?id=848299 https://bugzilla.redhat.com/show_bug.cgi?id=848616 https://bugzilla.redhat.com/show_bug.cgi?id=848616 https://bugzilla.redhat.com/show_bug.cgi?id=848728 https://bugzilla.redhat.com/show_bug.cgi?id=848728 https://bugzilla.redhat.com/show_bug.cgi?id=849315 https://bugzilla.redhat.com/show_bug.cgi?id=849315 https://bugzilla.redhat.com/show_bug.cgi?id=849542 https://bugzilla.redhat.com/show_bug.cgi?id=849542 https://bugzilla.redhat.com/show_bug.cgi?id=851146 https://bugzilla.redhat.com/show_bug.cgi?id=851146 https://bugzilla.redhat.com/show_bug.cgi?id=851839 https://bugzilla.redhat.com/show_bug.cgi?id=851839 https://bugzilla.redhat.com/show_bug.cgi?id=852989 https://bugzilla.redhat.com/show_bug.cgi?id=852989 https://bugzilla.redhat.com/show_bug.cgi?id=853011 https://bugzilla.redhat.com/show_bug.cgi?id=853011 https://bugzilla.redhat.com/show_bug.cgi?id=853040 https://bugzilla.redhat.com/show_bug.cgi?id=853040 https://bugzilla.redhat.com/show_bug.cgi?id=853703 https://bugzilla.redhat.com/show_bug.cgi?id=853703 https://bugzilla.redhat.com/show_bug.cgi?id=853710 https://bugzilla.redhat.com/show_bug.cgi?id=853710 https://bugzilla.redhat.com/show_bug.cgi?id=853910 https://bugzilla.redhat.com/show_bug.cgi?id=853910 https://bugzilla.redhat.com/show_bug.cgi?id=853968 https://bugzilla.redhat.com/show_bug.cgi?id=853968 https://bugzilla.redhat.com/show_bug.cgi?id=854027 https://bugzilla.redhat.com/show_bug.cgi?id=854027 https://bugzilla.redhat.com/show_bug.cgi?id=854151 https://bugzilla.redhat.com/show_bug.cgi?id=854151 https://bugzilla.redhat.com/show_bug.cgi?id=854212 https://bugzilla.redhat.com/show_bug.cgi?id=854212 https://bugzilla.redhat.com/show_bug.cgi?id=854242 https://bugzilla.redhat.com/show_bug.cgi?id=854242 https://bugzilla.redhat.com/show_bug.cgi?id=854457 https://bugzilla.redhat.com/show_bug.cgi?id=854457 https://bugzilla.redhat.com/show_bug.cgi?id=854748 https://bugzilla.redhat.com/show_bug.cgi?id=854748 https://bugzilla.redhat.com/show_bug.cgi?id=854763 https://bugzilla.redhat.com/show_bug.cgi?id=854763 https://bugzilla.redhat.com/show_bug.cgi?id=854765 https://bugzilla.redhat.com/show_bug.cgi?id=854765 https://bugzilla.redhat.com/show_bug.cgi?id=854919 https://bugzilla.redhat.com/show_bug.cgi?id=854919 https://bugzilla.redhat.com/show_bug.cgi?id=854953 https://bugzilla.redhat.com/show_bug.cgi?id=854953 https://bugzilla.redhat.com/show_bug.cgi?id=855049 https://bugzilla.redhat.com/show_bug.cgi?id=855049 https://bugzilla.redhat.com/show_bug.cgi?id=855425 https://bugzilla.redhat.com/show_bug.cgi?id=855425 https://bugzilla.redhat.com/show_bug.cgi?id=855729 https://bugzilla.redhat.com/show_bug.cgi?id=855729 https://bugzilla.redhat.com/show_bug.cgi?id=855887 https://bugzilla.redhat.com/show_bug.cgi?id=855887 https://bugzilla.redhat.com/show_bug.cgi?id=855918 https://bugzilla.redhat.com/show_bug.cgi?id=855918 https://bugzilla.redhat.com/show_bug.cgi?id=855922 https://bugzilla.redhat.com/show_bug.cgi?id=855922 https://bugzilla.redhat.com/show_bug.cgi?id=855924 https://bugzilla.redhat.com/show_bug.cgi?id=855924 https://bugzilla.redhat.com/show_bug.cgi?id=856163 https://bugzilla.redhat.com/show_bug.cgi?id=856163 https://bugzilla.redhat.com/show_bug.cgi?id=856167 https://bugzilla.redhat.com/show_bug.cgi?id=856167 https://bugzilla.redhat.com/show_bug.cgi?id=857112 https://bugzilla.redhat.com/show_bug.cgi?id=857112 https://bugzilla.redhat.com/show_bug.cgi?id=859109 https://bugzilla.redhat.com/show_bug.cgi?id=859109 https://bugzilla.redhat.com/show_bug.cgi?id=862002 https://bugzilla.redhat.com/show_bug.cgi?id=862002 https://bugzilla.redhat.com/show_bug.cgi?id=863265 https://bugzilla.redhat.com/show_bug.cgi?id=863265 https://bugzilla.redhat.com/show_bug.cgi?id=865386 https://bugzilla.redhat.com/show_bug.cgi?id=865386 https://bugzilla.redhat.com/show_bug.cgi?id=866163 https://bugzilla.redhat.com/show_bug.cgi?id=866163 https://bugzilla.redhat.com/show_bug.cgi?id=866533 https://bugzilla.redhat.com/show_bug.cgi?id=866533 https://bugzilla.redhat.com/show_bug.cgi?id=867354 https://bugzilla.redhat.com/show_bug.cgi?id=867354 https://bugzilla.redhat.com/show_bug.cgi?id=867806 https://bugzilla.redhat.com/show_bug.cgi?id=867806 https://bugzilla.redhat.com/show_bug.cgi?id=867813 https://bugzilla.redhat.com/show_bug.cgi?id=867813 https://bugzilla.redhat.com/show_bug.cgi?id=867922 https://bugzilla.redhat.com/show_bug.cgi?id=867922 https://bugzilla.redhat.com/show_bug.cgi?id=868272 https://bugzilla.redhat.com/show_bug.cgi?id=868272 https://bugzilla.redhat.com/show_bug.cgi?id=868681 https://bugzilla.redhat.com/show_bug.cgi?id=868681 https://bugzilla.redhat.com/show_bug.cgi?id=868721 https://bugzilla.redhat.com/show_bug.cgi?id=868721 https://bugzilla.redhat.com/show_bug.cgi?id=870024 https://bugzilla.redhat.com/show_bug.cgi?id=870024 https://bugzilla.redhat.com/show_bug.cgi?id=870079 https://bugzilla.redhat.com/show_bug.cgi?id=870079 https://bugzilla.redhat.com/show_bug.cgi?id=870734 https://bugzilla.redhat.com/show_bug.cgi?id=870734 https://bugzilla.redhat.com/show_bug.cgi?id=870768 https://bugzilla.redhat.com/show_bug.cgi?id=870768 https://bugzilla.redhat.com/show_bug.cgi?id=871355 https://bugzilla.redhat.com/show_bug.cgi?id=871355 https://bugzilla.redhat.com/show_bug.cgi?id=871811 https://bugzilla.redhat.com/show_bug.cgi?id=871811 https://bugzilla.redhat.com/show_bug.cgi?id=872270 https://bugzilla.redhat.com/show_bug.cgi?id=872270 https://bugzilla.redhat.com/show_bug.cgi?id=872935 https://bugzilla.redhat.com/show_bug.cgi?id=872935 https://bugzilla.redhat.com/show_bug.cgi?id=874481 https://bugzilla.redhat.com/show_bug.cgi?id=874481 https://bugzilla.redhat.com/show_bug.cgi?id=876115 https://bugzilla.redhat.com/show_bug.cgi?id=876115 https://bugzilla.redhat.com/show_bug.cgi?id=876558 https://bugzilla.redhat.com/show_bug.cgi?id=876558 RHEV Agents (vdsm) vdsm-4.9.6-44.0.el6_3.src.rpm vdsm-4.9.6-44.0.el6_3 as a component of RHEV Agents (vdsm) A flaw was found in the way Red Hat Enterprise Linux hosts were added to the Red Hat Enterprise Virtualization environment. The Python scripts needed to configure the host for Red Hat Enterprise Virtualization were stored in the "/tmp/" directory and could be pre-created by an attacker. A local, unprivileged user on the host to be added to the Red Hat Enterprise Virtualization environment could use this flaw to escalate their privileges. This update provides the VDSM part of the fix. The RHSA-2012:1506 Red Hat Enterprise Virtualization Manager update must also be installed to completely fix this issue. The CVE-2012-0860 and CVE-2012-0861 issues were discovered by Red Hat. 2012-02-14T00:00:00Z 2012-12-04T00:00:00Z CVE-2012-0860 6Server-RHEV-Agents:vdsm-4.9.6-44.0.el6_3 Important 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1508.html https://www.redhat.com/security/data/cve/CVE-2012-0860.html CVE-2012-0860 https://bugzilla.redhat.com/show_bug.cgi?id=790730 bz#790730: CVE-2012-0860 rhev: vds_installer insecure /tmp use A flaw was found in the way Red Hat Enterprise Linux and Red Hat Enterprise Virtualization Hypervisor hosts were added to the Red Hat Enterprise Virtualization environment. The Python scripts needed to configure the host for Red Hat Enterprise Virtualization were downloaded in an insecure way, that is, without properly validating SSL certificates during HTTPS connections. An attacker on the local network could use this flaw to conduct a man-in-the-middle attack, potentially gaining root access to the host being added to the Red Hat Enterprise Virtualization environment. This update provides the VDSM part of the fix. The RHSA-2012:1506 Red Hat Enterprise Virtualization Manager update must also be installed to completely fix this issue. The CVE-2012-0860 and CVE-2012-0861 issues were discovered by Red Hat. 2012-02-15T00:00:00Z 2012-12-04T00:00:00Z CVE-2012-0861 6Server-RHEV-Agents:vdsm-4.9.6-44.0.el6_3 Important 6.8 AV:A/AC:H/Au:N/C:C/I:C/A:C Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1508.html https://www.redhat.com/security/data/cve/CVE-2012-0861.html CVE-2012-0861 https://bugzilla.redhat.com/show_bug.cgi?id=790754 bz#790754: CVE-2012-0861 rhev: vds_installer is prone to MITM when downloading 2nd stage installer