[RHSA-2013:1155-01] Moderate: rhev 3.2.2 - vdsm security and bug fix update

bugzilla at redhat.com bugzilla at redhat.com
Tue Aug 13 16:34:56 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: rhev 3.2.2 - vdsm security and bug fix update
Advisory ID:       RHSA-2013:1155-01
Product:           Red Hat Enterprise Virtualization
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2013-1155.html
Issue date:        2013-08-13
CVE Names:         CVE-2013-4236 
=====================================================================

1. Summary:

Updated vdsm packages that fix one security issue and various bugs are now
available.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

RHEV-M 3.2 - noarch, x86_64

3. Description:

VDSM is a management module that serves as a Red Hat Enterprise
Virtualization Manager agent on Red Hat Enterprise Virtualization
Hypervisor or Red Hat Enterprise Linux hosts. 

It was found that the fix for CVE-2013-0167 released via RHSA-2013:0886
was incomplete. A privileged guest user could potentially use this flaw to
make the host the guest is running on unavailable to the management
server. (CVE-2013-4236)

This issue was found by David Gibson of Red Hat.

This update also fixes the following bugs:

* Previously, failure to move a disk produced a 'truesize' exit message,
which was not informative. Now, failure to move a disk produces a more
helpful error message explaining that the volume is corrupted or missing.
(BZ#985556)

* The LVM filter has been updated to only access physical volumes by full
/dev/mapper paths in order to improve performance. This replaces the
previous behavior of scanning all devices including logical volumes on
physical volumes. (BZ#983599)

* The log collector now collects /var/log/sanlock.log from Hypervisors, to
assist in debugging sanlock errors. (BZ#987042)

* When the poollist parameter was not defined, dumpStorageTable crashed,
causing SOS report generation to fail with the error 'IndexError: list
index out of range'. VDSM now handles this exception, so the log collector
can generate host SOS reports. (BZ#985069)

* Previously, VDSM used the memAvailable parameter to report available
memory on a host, which could return negative values if memory
overcommitment was in use. Now, the new memFree parameter returns the
actual amount of free memory on a host. (BZ#982639)

All users managing Red Hat Enterprise Linux Virtualization hosts using Red
Hat Enterprise Virtualization Manager are advised to install these updated
packages, which fix these issues.

These updated packages will be provided to users of Red Hat Enterprise
Virtualization Hypervisor in the next rhev-hypervisor6 errata package.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

982639 - vdsm is reporting negative values for available memory
983599 - Change lvm filter to access RHEV PVs only by full path /dev/mapper/wwid
985556 - vdsm: failure to move disk with 'truesize' error in vdsm will show the same exit message in event log
987042 - logcollector does not collect /var/log/sanlock.log from hypervisors
996166 - CVE-2013-4236 vdsm: incomplete fix for CVE-2013-0167 issue

6. Package List:

RHEV-M 3.2:

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEV/SRPMS/vdsm-4.10.2-24.0.el6ev.src.rpm

noarch:
vdsm-bootstrap-4.10.2-24.0.el6ev.noarch.rpm

x86_64:
vdsm-debuginfo-4.10.2-24.0.el6ev.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2013-4236.html
https://access.redhat.com/security/updates/classification/#moderate
https://rhn.redhat.com/errata/RHSA-2013-0886.html

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFSCmAZXlSAg2UNWIIRAqIRAJ9D70fPR7Wq/oKmDABSHoVtyJFm9wCdHKw7
MC7qW2JIgNTVr4Ds6jcJGdw=
=GJwc
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list