[RHSA-2017:0549-01] Moderate: redhat-virtualization-host security and bug fix update

bugzilla at redhat.com bugzilla at redhat.com
Fri Mar 17 14:58:59 UTC 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: redhat-virtualization-host security and bug fix update
Advisory ID:       RHSA-2017:0549-01
Product:           Red Hat Virtualization
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2017-0549.html
Issue date:        2017-03-16
Cross references:  RHSA-2017:0294-1
CVE Names:         CVE-2016-9577 CVE-2016-9578 
=====================================================================

1. Summary:

An update for imgbased, redhat-release-virtualization-host, and
redhat-virtualization-host is now available for RHEV 4.X, RHEV-H, and
Agents for RHEL-7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Image Updates for RHV-H - noarch
RHEL 7-based RHEV-H for RHEV 4(build requirements) - noarch, x86_64

3. Description:

The redhat-virtualization-host packages provide the Red Hat Virtualization
Host. These packages include redhat-release-virtualization-host,
ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are
installed using a special build of Red Hat Enterprise Linux with only the
packages required to host virtual machines. RHVH features a Cockpit user
interface for monitoring the host's resources and performing administrative
tasks.

The following packages have been upgraded to a later upstream version:
redhat-release-virtualization-host (4.0), imgbased (0.8.16),
redhat-virtualization-host (4.0). (BZ#1410848, BZ#1430244)

Security Fix(es):

* A vulnerability was discovered in SPICE in the server's protocol
handling. An authenticated attacker could send crafted messages to the
SPICE server causing a heap overflow leading to a crash or possible code
execution. (CVE-2016-9577)

* A vulnerability was discovered in SPICE in the server's protocol
handling. An attacker able to connect to the SPICE server could send
crafted messages which would cause the process to crash. (CVE-2016-9578)

These issues were discovered by Frediano Ziglio (Red Hat).

Bug Fix(es):

* Previously, imgbased blindly copied /etc from old layers into new layers
in order to keep configuration changes between upgrades. This meant that
imgbased's behavior differed from RPM, in that unmodified configuration
files would be preserved across imgbased upgrades whereas 'yum upgrade' of
the same packages would have replaced them. Now, imgbased compares the sums
of files to the originals kept per-layer in /usr/share/factory/etc so that
unmodified configuration files are now handled appropriately. (BZ#1418179)

* Previously, some earlier versions of Red Hat Virtualization Host (RHVH)
repeatedly prompted for upgrades, even when the most recent version was
already installed. This was caused by the RHVH image containing a
placeholder package that was made obsolete in order to upgrade. However,
the package that was used to upgrade was not propagated to the rpmdb on the
new image. Now, upgrading includes the update package in the rpmdb on the
new image. (BZ#1422476)

* With this update, Red Hat Virtualization Host (RHVH) now includes the
'screen' package. Previously, ovirt-hosted-engine-setup invoked from a CLI
warned users that the 'screen' package was not installed. Though this was
not an explicit requirement when using cockpit, including it provides a
better experience if using the CLI. (BZ#1403729)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1399566 - CVE-2016-9578 spice: Remote DoS via crafted message
1401603 - CVE-2016-9577 spice: Buffer overflow in main_channel_alloc_msg_rcv_buf when reading large messages
1403729 - [z-stream clone - 4.0.7] screen package is not available in RHV 4.0 - despite warnings to run HE deploy within screen session
1410848 - [TestOnly] RHV-H 7.3 susceptible to kernel BZ 1404060
1418179 - [z-stream clone - 4.0.7] unmodified configuration files should be updated during update.
1422476 - [downstream clone - 4.0.7] The same update can be installed multiple times
1426012 - Auto installation failed for rhvh4.0-20170221.0
1426038 - Dashboard of cockpit is missing with RHVH 4.0.7
1427149 - [downstream clone - 4.0.7] Sshd.service could not work normally after upgrade
1427449 - [downstream clone - 4.0.7] There is error information during update to RHVH4.1 with "yum update"
1428375 - [downstream clone - 4.0.7] RHVH new build boot entry miss when upgrade from wrapper to wrapper
1429594 - [downstream clone - 4.0.7] RHVH 4.0.7 cannot be up again in the side of RHEVM 4.0 after upgrade
1430244 - Upgrade imgbased to 0.8.16

6. Package List:

Image Updates for RHV-H:

Source:
redhat-virtualization-host-4.0-20170307.1.el7_3.src.rpm

noarch:
redhat-virtualization-host-image-update-4.0-20170307.1.el7_3.noarch.rpm

RHEL 7-based RHEV-H for RHEV 4(build requirements):

Source:
imgbased-0.8.16-0.1.el7ev.src.rpm
redhat-release-virtualization-host-4.0-7.1.el7.src.rpm

noarch:
imgbased-0.8.16-0.1.el7ev.noarch.rpm
redhat-virtualization-host-image-update-placeholder-4.0-7.1.el7.noarch.rpm

x86_64:
redhat-release-virtualization-host-4.0-7.1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-9577
https://access.redhat.com/security/cve/CVE-2016-9578
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYy/msXlSAg2UNWIIRAlKOAJ9tMwdiy7ktwXj1ut2cddW5HRMvogCfdsQv
XrTMysnvVhpvy/4zXg+SLX0=
=6aIU
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list