-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: RHV-M(ovirt-engine) 4.4.z security, bug fix, enhancement update [ovirt-4.4.4] Advisory ID: RHSA-2021:0381-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2021:0381 Issue date: 2021-02-02 CVE Names: CVE-2020-25649 ===================================================================== 1. Summary: Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch 3. Description: The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning. The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a VM Portal, and a Representational State Transfer (REST) Application Programming Interface (API). Security Fix(es): * jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) (CVE-2020-25649) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Red Hat Virtualization Manager now requires Ansible 2.9.15. (BZ#1901946) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/2974891 5. Bugs fixed (https://bugzilla.redhat.com/): 1627997 - [RFE] Allow SPM switching if all tasks have finished via REST-API 1702237 - [RFE] add API for listing disksnapshots under disk resource 1796231 - VM disk remains in locked state if image transfer (image download) timesout due to inactivity. 1868114 - RHV-M UI/Webadmin: The "Disk Snapshots" tab reflects incorrect "Creation Date" information. 1875951 - Disk hot-unplug fails on engine side with NPE in setDiskVmElements after unplugging from the VM. 1879655 - [RFE] Implement searching VM's with partial name or case sensitive vm names in VM Portal. 1880015 - oVirt metrics example Kibana dashboards are broken in Kibana 7.x 1881115 - RHEL VM icons squashed, please adhere to brand rules 1881357 - German language greeting page says Red Hat® 1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) 1893035 - rhv-log-collector-analyzer: check for double quotes in IPTablesConfigSiteCustom 1894298 - ModuleNotFoundError: No module named 'ovirt_engine' raised when starting ovirt-engine-dwhd.py in dev env 1901946 - [RFE] Bump ovirt-engine version lock to the newest Ansible version 1903385 - RFE: rhv-image-discrepancies should report if the truesize from VDSM has different size in images in the engine. 1903595 - [PPC] Can't add PPC host to Engine 6. Package List: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4: Source: ovirt-engine-4.4.4.5-0.10.el8ev.src.rpm ovirt-engine-dwh-4.4.4.2-1.el8ev.src.rpm ovirt-web-ui-1.6.6-1.el8ev.src.rpm rhv-log-collector-analyzer-1.0.6-1.el8ev.src.rpm rhvm-branding-rhv-4.4.7-1.el8ev.src.rpm vdsm-jsonrpc-java-1.6.0-1.el8ev.src.rpm noarch: ovirt-engine-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-backend-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-dbscripts-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-dwh-4.4.4.2-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.4.4.2-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.4.4.2-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-restapi-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-base-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-tools-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-tools-backup-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-vmconsole-proxy-helper-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-webadmin-portal-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-websocket-proxy-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-web-ui-1.6.6-1.el8ev.noarch.rpm python3-ovirt-engine-lib-4.4.4.5-0.10.el8ev.noarch.rpm rhv-log-collector-analyzer-1.0.6-1.el8ev.noarch.rpm rhvm-4.4.4.5-0.10.el8ev.noarch.rpm rhvm-branding-rhv-4.4.7-1.el8ev.noarch.rpm vdsm-jsonrpc-java-1.6.0-1.el8ev.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-25649 https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYBlba9zjgjWX9erEAQhjzQ/9E966aSphBTdfmsL3Upuj4b2vmhXuDcea r+XD21Q8GkvTK0s4yB7q+Vn/TPquTAVkX13AW+tHHM0sp4NfMB+c6Anzogw2AHq9 o/5aeiB+CJdDX2IwHhPDCioPVpZt4cHYCDeNGUfa7tww7b91y72kJQTbQ/GvnHvj bGlZ4RTkA1tmSEA/JC0ZzUasIKXidNFK88D755dbyWFxlz3HMkXV/FuDOO1NwtGw JMH/knAtkN/z9rrYFKotO8wHzt/PfG/V09taK5vogMqVJIpYXDtxwOfer6HjyLsC 9H/jAAYjKL/SQO2Dgsh7VMCEZ4Qlut+ahcbsg/L0dGOLq9OFngdusxTqqhUR9UIb AqFfniY/xwdddfaFVKnI2CVr0QU6hWTj8wFgBdCbMd80zmanVwpk1lLnlex3bjn2 T52CbKABXhV8RDuGdLQyGgfXksYVaKoLeTnqC9nSfMeQ62PEqq0iLNtYDi5EjqLd ijiB9+NmB/e0vjU5TSsKaD9Rpf6KbFRUwep8ygSwApMQ8H4CQ2HCy5v4GxsQFYFK OeA2uJmZT9ELvfOybgwdzV9XWF4R9MnbgYuWrh75Cc5v3FCz2CbwddZy5QdPiRhn k4n6RFelAAvulO8WbkJ0N90EIC7nI2d7S3MgaO+gFWoDIuNnedqDU0Ydp9ZN9DHd P8Fb7Gf1V+M= =XP00 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce