[RHSA-2021:4626-08] Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.9]

Security announcements for all Red Hat products and services. rhsa-announce at redhat.com
Tue Nov 16 20:42:03 UTC 2021 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.9]
Advisory ID:       RHSA-2021:4626-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:4626
Issue date:        2021-11-16
CVE Names:         CVE-2020-7733 CVE-2020-28469 
=====================================================================

1. Summary:

Updated ovirt-engine packages that fix several bugs and add various
enhancements are now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch

3. Description:

The ovirt-engine package provides the manager for virtualization
environments.
This manager enables admins to define hosts and networks, as well as to add
storage, create VMs and manage user permissions.

A list of bugs fixed in this update is available in the Technical Notes
book:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

Security Fix(es):

* nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

* nodejs-ua-parser-js: Regular expression denial of service via the regex
(CVE-2020-7733)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

1352501 - [RFE] LUKs key management on RHV
1879733 - CVE-2020-7733 nodejs-ua-parser-js: Regular expression denial of service via the regex
1940991 - Hot plugging memory then hot unplugging the same memory on a RHEL 8 VM via API, after repeating the process several times the Defined Memory value in RHV-M and free command on the VM go out of sync, displaying completely different values
1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service
1957830 - Creating thin disk from VM Portal on block storage fails
1971802 - Connection timeout when DNS server timeouts for IPv6 address resolution in mixed IPv4/IPv6 environments
1977232 - Create template broken with block storage
1977276 - Uploading ISO through RHV-M portal intermittently fails with error "Failed to add disk for image transfer command"
1979730 - Windows VM ends up with ghost NIC and missing secondary disks machine type changes from pc-q35-rhel8.3.0 to pc-q35-rhel8.4.0
1989324 - rhv-image-discrepancies should skip OVF_STORE
1992690 - [RFE] Customize 'oVirt Inventory Dashboard' to include cluster wide information about 'CPUs Overcommit' and 'Running VMs - CPU Cores vs. Total Hosts-CPU Cores'
2000364 - Engine fails to start, unable to read cloud-init network config from stateless snapshot configuration.
2001551 - Allow more granular checks with rhv-image-discrepancies
2001944 - Always log exception message which is raised during inserting into audit_log
2004444 - Try to enable cinderlib repos on host during host upgrade
2007550 - Change type of disk write/read rate from integer to long
2014017 - Can not download VM disks due to 'Cannot transfer Virtual Disk: Disk is locked'

6. Package List:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:
ovirt-engine-4.4.9.2-0.6.el8ev.src.rpm
ovirt-engine-dwh-4.4.9.1-1.el8ev.src.rpm
ovirt-engine-extension-aaa-ldap-1.4.5-1.el8ev.src.rpm
ovirt-engine-metrics-1.4.4-1.el8ev.src.rpm
ovirt-web-ui-1.7.2-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.11-1.el8ev.src.rpm

noarch:
ovirt-engine-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-backend-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-dwh-4.4.9.1-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.4.9.1-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.4.9.1-1.el8ev.noarch.rpm
ovirt-engine-extension-aaa-ldap-1.4.5-1.el8ev.noarch.rpm
ovirt-engine-extension-aaa-ldap-setup-1.4.5-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-metrics-1.4.4-1.el8ev.noarch.rpm
ovirt-engine-restapi-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-base-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-tools-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-web-ui-1.7.2-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.4.9.2-0.6.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.11-1.el8ev.noarch.rpm
rhvm-4.4.9.2-0.6.el8ev.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-7733
https://access.redhat.com/security/cve/CVE-2020-28469
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

8. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYZQXm9zjgjWX9erEAQgfGA//cT9M+SSFfEmyYDBEfwRL7zqst+bjsxJ5
B37q+1Ebo0JWHAsIgh0oluQ7WssqzCQp02bd4pZ3Mn8L0VzJ8/7ZO1czgHcjGxUN
gew4JY3+wX3Bm2z16EwgMwuG4h9KZ9wajwe4oLvZGVny5bj/qc7Jb4yh1pw9IHIA
rm3b4pSGxbqUh9cmiLMvf1gsIvLyHL3J5xu73TEjrFB8oSM4KnpC6Uqs5HMk/Qu6
6LRZpqFb+cOrLn7tarxIqZi9BODGo0jM6KImLZpWSQuiSeSlF7SuBAY8WtjRH9Yh
bxl46OyPDk88pu4sHWVI7acM/ngkCDb6WCIigBqf0NlzVl2RSY42cd9n8sQrAMSg
JRD3OpzZqMKVDfnoQEtxQrZCQJYLIgu0ALhZE5JwmzyuoK0EdMTs4xvStKB03cRy
aVwXbol30esQCbk078kXROpgTB4GC+afBfAZqUb9K1XkngTfC/+hOUnvQgKruZ3H
n4CB22UUGYJpqDhCqd+c+OssxTLp5qhhneruiayrxZyTYGrnmog4AaFvK5vdOz4u
ofJHvb3z+s8Yjl0z50lQP3CzFdJfncYVwpsJxCa2dFwK6cKajiudP1aldx73Uyz7
Bxsr4hc2rmXmz70K5QhfuTN6Uz3qWNnxNFXDzZm+6+o98exRfqcI/Uuzdk7A6kMx
o+zXeXdIuqM=
=TrU3
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list