[RHSA-2010:0478-01] Moderate: Red Hat Enterprise Virtualization Manager security update
bugzilla at redhat.com
bugzilla at redhat.com
Tue Jun 22 13:55:29 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Enterprise Virtualization Manager security update
Advisory ID: RHSA-2010:0478-01
Product: Red Hat Enterprise Virtualization
Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0478.html
Issue date: 2010-06-22
CVE Names: CVE-2010-2224
=====================================================================
1. Summary:
Red Hat Enterprise Virtualization Manager 2.2 is now available for Red Hat
Enterprise Virtualization.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Description:
Red Hat Enterprise Virtualization Manager is a visual tool for centrally
managing collections of virtual servers running Red Hat Enterprise Linux
and Microsoft Windows. This package also includes the Red Hat Enterprise
Virtualization Manager API, a set of scriptable commands that give
administrators the ability to perform queries and operations on Red Hat
Enterprise Virtualization Manager. Major changes in version 2.2 include an
import and export capability, and desktop support (VDI).
It was found that Red Hat Enterprise Virtualization Manager did not
correctly pass the postzero parameter for deleted volumes after snapshot
merging. This resulted in such volumes not being securely deleted as
expected. A guest user in a new, raw virtual machine (VM), created in a
data domain that has had VMs deleted from it, could use this flaw to read
limited data from those deleted VMs, potentially disclosing sensitive
information. (CVE-2010-2224)
This update provides updated components that include fixes for security
issues; however, these issues have no security impact for Red Hat
Enterprise Virtualization Manager. These fixes are for expat issues
CVE-2009-3560 and CVE-2009-3720; libpng issues CVE-2007-5266,
CVE-2007-5267, CVE-2007-5268, CVE-2007-5269, CVE-2008-1382, CVE-2008-5907,
CVE-2008-6218, CVE-2009-0040, CVE-2009-2042, and CVE-2010-0205; and openssl
issues CVE-2008-5077, CVE-2009-0590, CVE-2009-1377, CVE-2009-1378,
CVE-2009-1379, CVE-2009-1386, CVE-2009-1387, CVE-2009-2409, CVE-2009-3555,
CVE-2009-4355, and CVE-2010-0433.
This update also fixes several bugs and adds several enhancements.
Documentation for these bug fixes and enhancements is available from
http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/2.2/html
/Servers-Manager_Security_Update
All Red Hat Enterprise Virtualization Manager users should install this
updated package, which corrects this issue, and fixes the bugs and adds the
enhancements noted in the "Manager Security Update" document, linked to in
the References.
3. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
4. Bugs fixed (http://bugzilla.redhat.com/):
606774 - CVE-2010-2224 rhev-m: merge snapshot does not pass postzero parameter for deleted volumes
5. References:
https://www.redhat.com/security/data/cve/CVE-2010-2224.html
http://www.redhat.com/security/updates/classification/#moderate
http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/2.2/html/Servers-Manager_Security_Update
6. Contact:
The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2010 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFMIMCaXlSAg2UNWIIRAkerAJ0RLOcPbgflx/pmBplqjSrH6GPVJwCfaLil
MHpoP12H0ehkaNc7K5cF7Vo=
=Aq+d
-----END PGP SIGNATURE-----
More information about the rhev-watch-list
mailing list