A RHV Manager (ovirt-engine) security update has been released.
RHSA-2021:4626-08: Moderate: RHV Manager (ovirt-engine) security update ovirt-4.4.9:
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.9]
Advisory ID: RHSA-2021:4626-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4626
Issue date: 2021-11-16
CVE Names: CVE-2020-7733 CVE-2020-28469
=====================================================================
1. Summary:
Updated ovirt-engine packages that fix several bugs and add various
enhancements are now available.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
3. Description:
The ovirt-engine package provides the manager for virtualization
environments.
This manager enables admins to define hosts and networks, as well as to add
storage, create VMs and manage user permissions.
A list of bugs fixed in this update is available in the Technical Notes
book:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
Security Fix(es):
* nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)
* nodejs-ua-parser-js: Regular expression denial of service via the regex
(CVE-2020-7733)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/2974891
5. Bugs fixed ( https://bugzilla.redhat.com/):
1352501 - [RFE] LUKs key management on RHV
1879733 - CVE-2020-7733 nodejs-ua-parser-js: Regular expression denial of service via the regex
1940991 - Hot plugging memory then hot unplugging the same memory on a RHEL 8 VM via API, after repeating the process several times the Defined Memory value in RHV-M and free command on the VM go out of sync, displaying completely different values
1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service
1957830 - Creating thin disk from VM Portal on block storage fails
1971802 - Connection timeout when DNS server timeouts for IPv6 address resolution in mixed IPv4/IPv6 environments
1977232 - Create template broken with block storage
1977276 - Uploading ISO through RHV-M portal intermittently fails with error "Failed to add disk for image transfer command"
1979730 - Windows VM ends up with ghost NIC and missing secondary disks machine type changes from pc-q35-rhel8.3.0 to pc-q35-rhel8.4.0
1989324 - rhv-image-discrepancies should skip OVF_STORE
1992690 - [RFE] Customize 'oVirt Inventory Dashboard' to include cluster wide information about 'CPUs Overcommit' and 'Running VMs - CPU Cores vs. Total Hosts-CPU Cores'
2000364 - Engine fails to start, unable to read cloud-init network config from stateless snapshot configuration.
2001551 - Allow more granular checks with rhv-image-discrepancies
2001944 - Always log exception message which is raised during inserting into audit_log
2004444 - Try to enable cinderlib repos on host during host upgrade
2007550 - Change type of disk write/read rate from integer to long
2014017 - Can not download VM disks due to 'Cannot transfer Virtual Disk: Disk is locked'
6. Package List:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source:
ovirt-engine-4.4.9.2-0.6.el8ev.src.rpm
ovirt-engine-dwh-4.4.9.1-1.el8ev.src.rpm
ovirt-engine-extension-aaa-ldap-1.4.5-1.el8ev.src.rpm
ovirt-engine-metrics-1.4.4-1.el8ev.src.rpm
ovirt-web-ui-1.7.2-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.11-1.el8ev.src.rpm
noarch:
ovirt-engine-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-backend-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-dwh-4.4.9.1-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.4.9.1-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.4.9.1-1.el8ev.noarch.rpm
ovirt-engine-extension-aaa-ldap-1.4.5-1.el8ev.noarch.rpm
ovirt-engine-extension-aaa-ldap-setup-1.4.5-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-metrics-1.4.4-1.el8ev.noarch.rpm
ovirt-engine-restapi-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-base-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-tools-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.4.9.2-0.6.el8ev.noarch.rpm
ovirt-web-ui-1.7.2-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.4.9.2-0.6.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.11-1.el8ev.noarch.rpm
rhvm-4.4.9.2-0.6.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-7733
https://access.redhat.com/security/cve/CVE-2020-28469
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.