From bugzilla at redhat.com Thu Mar 5 14:16:39 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 5 Mar 2015 14:16:39 +0000 Subject: [RHSA-2015:0624-01] Important: qemu-kvm-rhev security, bug fix, and enhancement update Message-ID: <201503051416.t25EGeI9007026@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: qemu-kvm-rhev security, bug fix, and enhancement update Advisory ID: RHSA-2015:0624-01 Product: Red Hat Enterprise Virtualization Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0624.html Issue date: 2015-03-05 CVE Names: CVE-2014-3640 CVE-2014-7815 CVE-2014-7840 CVE-2014-8106 ===================================================================== 1. Summary: Updated qemu-kvm-rhev packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Virtualization Hypervisor 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEV-H and VDSM for 7 Hosts - x86_64 3. Description: KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM, in environments managed by Red Hat Enterprise Virtualization Manager. It was found that the Cirrus blit region checks were insufficient. A privileged guest user could use this flaw to write outside of VRAM-allocated buffer boundaries in the host's QEMU process address space with attacker-provided data. (CVE-2014-8106) An uninitialized data structure use flaw was found in the way the set_pixel_format() function sanitized the value of bits_per_pixel. An attacker able to access a guest's VNC console could use this flaw to crash the guest. (CVE-2014-7815) It was found that certain values that were read when loading RAM during migration were not validated. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-7840) A NULL pointer dereference flaw was found in the way QEMU handled UDP packets with a source port and address of 0 when QEMU's user networking was in use. A local guest user could use this flaw to crash the guest. (CVE-2014-3640) Red Hat would like to thank James Spadaro of Cisco for reporting CVE-2014-7815, and Xavier Mehrenberger and Stephane Duverger of Airbus for reporting CVE-2014-3640. The CVE-2014-8106 issue was found by Paolo Bonzini of Red Hat, and the CVE-2014-7840 issue was discovered by Michael S. Tsirkin of Red Hat. This update provides the enhanced version of the qemu-kvm-rhev packages for Red Hat Enterprise Virtualization (RHEV) Hypervisor, which also fixes several bugs and adds various enhancements. All Red Hat Enterprise Virtualization users with deployed virtualization hosts are advised to install these updated packages, which add this enhancement. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 733600 - qemu-kvm doesn't report error when supplied negative vnc port value 760898 - kvm should disable to change vnc password after removing vnc password option 801284 - usb-host accepting out-of-range values for various parameters ending an invalid usb device occupy an ehci port 852348 - fail to block_resize local data disk with IDE/AHCI disk_interface 893654 - allow non-contiguous CPU ranges on -numa command-line options 923599 - Virtio serial chardev will be still in use even failed to hot plug a serial port on it 946993 - Q35 does not honor -drive if=ide,... and its sugared forms -cdrom, -hda, ... 1003432 - qemu-kvm should not allow different virtio serial port use the same name 1013157 - backport block-layer dataplane implementation 1024599 - Windows7 x86 guest with ahci backend hit BSOD when do "hibernate" 1029987 - spice-server reports incorrect listening address on monitor with "ipv6" option 1032855 - qemu-kvm core dump when do S4 inside guest after drive-mirror got BLOCK_JOB_READY status(from libiscsi storage to libiscsi storage)) 1039745 - qemu vcpu hotplug support for q35 machine type 1047748 - fail to specify the bootindex for the usb-storage with usb-xhci controller 1052041 - Rubbish serial port device is generated once failed to hotplug a serial port 1055532 - QEMU should abort when invalid CPU flag name is used 1057425 - multiple qxl devices(>9) cause qemu-kvm core dump 1061827 - Maintain relative path to backing file image during live merge (block-commit) 1064742 - QMP: "query-version" doesn't include the -rhev prefix from the qemu-kvm-rhev package 1066239 - Hotplug second virtioserialport failed after attached and detached virtconsole port 1071058 - qemu-img unable to create image filename containing a ':' 1071199 - qemu-kvm numa emulation won't check duplicate node id 1076990 - Enable complex memory requirements for virtual machines 1083844 - Original image checking get errors after commit back with lazy_refcounts=on+qcow2_v3 1086502 - QEMU core dumped when blockdev_add with 'aio': 'native' but without 'cache' specified 1093023 - provide RHEL-specific machine types in QEMU 1096196 - QEMU should abort if NUMA node configuration don't cover all RAM 1102411 - qemu guest-set-time: RTC timer interrupt reinjection vs guest-set-time 1110429 - need a non-event way to determine qemu's current offset from utc 1114889 - drive-mirror cause qemu-kvm process segfaults 1116729 - Backport qemu_bh_schedule() race condition fix 1117445 - QMP: extend block events with error information 1120718 - Migration: Something broken with video 1121025 - Migration: acpi/tables size mismatch 1122619 - unnecessary files being distributed 1123908 - block.c: multiwrite_merge() truncates overlapping requests 1126777 - guest which set numa in xml can't start success 1128095 - chardev 'chr0' isn't initialized when we try to open rng backend 1128608 - [AHCI] RHEL 5.10 x86_64 guest kernel panic - VFS: Unable to mount root fs on unknown-block(9,1) 1129259 - Add traces to virtio-rng device 1129593 - Guest can't poweroff after finishing installation 1132385 - qemu-img convert rate about 100k/second from qcow2/raw to vmdk format on nfs system file 1132569 - RFE: Enable curl driver in qemu-kvm-rhev: https only 1133736 - qemu should provide iothread and x-data-plane properties for /usr/libexec/qemu-kvm -device virtio-blk-pci,? 1134980 - Should export first vga display with Spice 1135844 - [virtio-win]communication ports were marked with a yellow exclamation after hotplug pci-serial,pci-serial-2x,pci-serial-4x 1135893 - qemu-kvm should report an error message when host's freehugepage memory < domain's memory 1136381 - RFE: Supporting creating vdi/vpc format disk with protocols (glusterfs) for qemu-kvm-rhev-2.1.x 1136752 - virtio-blk dataplane support for block_resize and hot unplug 1138359 - RFE: Enable ssh driver in qemu-kvm-rhev 1138579 - Migration failed with nec-usb-xhci from RHEL7. 0 to RHEL7.1 1140001 - data-plane hotplug should be refused to start if device is already in use (drive-mirror job) 1140145 - qemu-kvm crashed when doing iofuzz testing 1140620 - Should replace "qemu-system-i386" by "/usr/libexec/qemu-kvm" in manpage of qemu-kvm for our official qemu-kvm build 1140744 - Enable native support for Ceph 1140975 - fail to login spice session with password + expire time 1140997 - guest is stuck when setting balloon memory with large guest-stats-polling-interval 1141656 - Virtio-scsi: performance degradation from 1.5.3 to 2.1.0 1141666 - Qemu crashed if reboot guest after hot remove AC97 sound device 1142331 - qemu-img convert intermittently corrupts output images 1144325 - Can not probe "qemu.kvm.virtio_blk_data_plane_complete_request" 1144818 - CVE-2014-3640 qemu: slirp: NULL pointer deref in sosendto() 1145042 - The output of "/usr/libexec/qemu-kvm -M ?" should be ordered. 1146573 - qemu core dump when boot guest with smp(num)timeout 1152922 - smbios uuid mismatched 1153590 - Improve error message on huge page preallocation 1157329 - qemu-kvm: undefined symbol: glfs_discard_async 1157641 - CVE-2014-7815 qemu: vnc: insufficient bits_per_pixel from the client sanitization 1160102 - opening read-only iscsi lun as read-write should fail 1160504 - guest can not show usb device after adding some usb controllers and redirdevs. 1161397 - qemu core dump when install a RHEL.7 guest(xhci) with migration 1163075 - CVE-2014-7840 qemu: insufficient parameter validation during ram load 1163735 - -device pc-dimm fails to initialize on non-NUMA configs 1164759 - Handle multipage ranges in invalidate_and_set_dirty() 1166481 - Allow qemu-img to bypass the host cache (check, compare, convert, rebase, amend) 1169280 - Segfault while query device properties (ics, icp) 1169454 - CVE-2014-8106 qemu: cirrus: insufficient blit region checks 1169589 - test case 051 071 and 087 of qemu-iotests fail for qcow2 with qemu-kvm-rhev-2.1.2-14.el7 1170093 - guest NUMA failed to migrate when machine is rhel6.5.0 1170533 - Should disalbe S3/S4 in default under Q35 machine type in rhel7 1170871 - qemu core dumped when unhotplug gpu card assigned to guest 1171552 - Storage vm migration failed when running BurnInTes 1172473 - BUG: seccomp filter failure with "-object memory-backend-ram" 1173167 - Corrupted ACPI tables in some configurations using pc-i440fx-rhel7.0.0 1175841 - Delete cow block driver 1177127 - [SVVP]smbios HCT job failed with 'Processor Max Speed cannot be Unknown' with -M pc-i440fx-rhel7.1.0 1179165 - [SVVP]smbios HCT job failed with Unspecified error with -M pc-i440fx-rhel7.1.0 1182494 - BUG: qemu-kvm hang when enabled both sandbox and mlock 6. Package List: RHEV-H and VDSM for 7 Hosts: Source: qemu-kvm-rhev-2.1.2-23.el7.src.rpm x86_64: libcacard-devel-rhev-2.1.2-23.el7.x86_64.rpm libcacard-rhev-2.1.2-23.el7.x86_64.rpm libcacard-tools-rhev-2.1.2-23.el7.x86_64.rpm qemu-img-rhev-2.1.2-23.el7.x86_64.rpm qemu-kvm-common-rhev-2.1.2-23.el7.x86_64.rpm qemu-kvm-rhev-2.1.2-23.el7.x86_64.rpm qemu-kvm-rhev-debuginfo-2.1.2-23.el7.x86_64.rpm qemu-kvm-tools-rhev-2.1.2-23.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-3640 https://access.redhat.com/security/cve/CVE-2014-7815 https://access.redhat.com/security/cve/CVE-2014-7840 https://access.redhat.com/security/cve/CVE-2014-8106 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFU+GUyXlSAg2UNWIIRAlF1AJ4w3xZf7cELYU6E0hmCPO/N//XI1wCfX2S4 Wb9RVUb6NYsR2wRSp0JFzyk= =Xa/T -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 18 12:20:17 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 18 Mar 2015 12:20:17 +0000 Subject: [RHSA-2015:0698-01] Important: rhevm-spice-client security, bug fix, and enhancement update Message-ID: <201503181220.t2ICKGvs002866@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: rhevm-spice-client security, bug fix, and enhancement update Advisory ID: RHSA-2015:0698-01 Product: Red Hat Enterprise Virtualization Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0698.html Issue date: 2015-03-18 CVE Names: CVE-2008-3520 CVE-2008-3522 CVE-2011-4516 CVE-2011-4517 CVE-2014-8137 CVE-2014-8138 CVE-2014-8157 CVE-2014-8158 CVE-2014-9029 ===================================================================== 1. Summary: Updated rhevm-spice-client packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Virtualization Manager 3. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEV-M 3.5 - noarch 3. Description: Red Hat Enterprise Virtualization Manager provides access to virtual machines using SPICE. These SPICE client packages provide the SPICE client and usbclerk service for both Windows 32-bit operating systems and Windows 64-bit operating systems. This update adds support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol version fails. This can prevent a forceful downgrade of the communication to SSL 3.0. The SSL 3.0 protocol was found to be vulnerable to the padding oracle attack when using block cipher suites in cipher block chaining (CBC) mode. This issue is identified as CVE-2014-3566, and also known under the alias POODLE. This SSL 3.0 protocol flaw will not be addressed in a future update; it is recommended that users configure their applications to require at least TLS protocol version 1.0 for secure communication. For additional information about this flaw, see the Knowledgebase article at https://access.redhat.com/articles/1232123 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-8138, CVE-2014-8157, CVE-2014-8158, CVE-2014-9029, CVE-2014-8137, CVE-2011-4516, CVE-2011-4517, CVE-2008-3520, CVE-2008-3522) Red Hat would like to thank oCERT for reporting CVE-2014-8137, CVE-2014-8138, CVE-2014-8157, CVE-2014-8158, CVE-2014-9029, CVE-2011-4516, and CVE-2011-4517. oCERT acknowledges Jose Duart of the Google Security Team as the original reporter of CVE-2014-8137 and CVE-2014-8138; and pyddeh as the original reporter of CVE-2014-8157 and CVE-2014-8158. The mingw-openssl and mingw-jasper packages have been upgraded to the latest upstream version, which provides a number of bug fixes and enhancements over the previous version. (BZ#1187585) This update also fixes the following bugs: * Previously, a guest system installed with tools incorrectly always started in full screen mode, even when the "Open in Full Screen" option was unchecked in console options. Now, when connecting in window mode with the option unchecked, the guest system starts in a window as expected. (BZ#1172126) * Prior to this update, copying and pasting of images from the client to the guest did not work when spice-gtk was built from upstream. Now, images can be copied and pasted without problems. (BZ#1187270) In addition, this update adds the following enhancement: * Administrators now have the option of automatic multiuser installation of virt-viewer onto many client workstations. (BZ#1187272) All rhevm-spice-client users are advised to upgrade to these updated packages, which correct these issues and add these enhancement. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 461476 - CVE-2008-3520 jasper: multiple integer overflows in jas_alloc calls 461478 - CVE-2008-3522 jasper: possible buffer overflow in jas_stream_printf() 747726 - CVE-2011-4516 CVE-2011-4517 jasper: heap buffer overflow flaws lead to arbitrary code execution (CERT VU#887409) 1167537 - CVE-2014-9029 jasper: incorrect component number check in COC, RGN and QCC marker segment decoders (oCERT-2014-009) 1172126 - always fullscreen for SPICE-xpi 1173157 - CVE-2014-8137 jasper: double-free in in jas_iccattrval_destroy() (oCERT-2014-012) 1173162 - CVE-2014-8138 jasper: heap overflow in jp2_decode() (oCERT-2014-012) 1179282 - CVE-2014-8157 jasper: dec->numtiles off-by-one check in jpc_dec_process_sot() (oCERT-2015-001) 1179298 - CVE-2014-8158 jasper: unrestricted stack memory use in jpc_qmfb.c (oCERT-2015-001) 1187270 - copy/paste images does not work -- images are truncated 6. Package List: RHEV-M 3.5: Source: rhevm-spice-client-3.5-3.el6.src.rpm noarch: rhevm-spice-client-x64-cab-3.5-3.el6.noarch.rpm rhevm-spice-client-x64-msi-3.5-3.el6.noarch.rpm rhevm-spice-client-x86-cab-3.5-3.el6.noarch.rpm rhevm-spice-client-x86-msi-3.5-3.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2008-3520 https://access.redhat.com/security/cve/CVE-2008-3522 https://access.redhat.com/security/cve/CVE-2011-4516 https://access.redhat.com/security/cve/CVE-2011-4517 https://access.redhat.com/security/cve/CVE-2014-8137 https://access.redhat.com/security/cve/CVE-2014-8138 https://access.redhat.com/security/cve/CVE-2014-8157 https://access.redhat.com/security/cve/CVE-2014-8158 https://access.redhat.com/security/cve/CVE-2014-9029 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVCW1JXlSAg2UNWIIRAj17AJ9D5Ru9tGR35TSGT8iu/yJSU600IgCgi4sI rMWgPfb/bHCRBSJZHtlQ6b4= =F97H -----END PGP SIGNATURE-----