-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.9] Advisory ID: RHSA-2021:4626-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2021:4626 Issue date: 2021-11-16 CVE Names: CVE-2020-7733 CVE-2020-28469 ===================================================================== 1. Summary: Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch 3. Description: The ovirt-engine package provides the manager for virtualization environments. This manager enables admins to define hosts and networks, as well as to add storage, create VMs and manage user permissions. A list of bugs fixed in this update is available in the Technical Notes book: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes Security Fix(es): * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ua-parser-js: Regular expression denial of service via the regex (CVE-2020-7733) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/2974891 5. Bugs fixed (https://bugzilla.redhat.com/): 1352501 - [RFE] LUKs key management on RHV 1879733 - CVE-2020-7733 nodejs-ua-parser-js: Regular expression denial of service via the regex 1940991 - Hot plugging memory then hot unplugging the same memory on a RHEL 8 VM via API, after repeating the process several times the Defined Memory value in RHV-M and free command on the VM go out of sync, displaying completely different values 1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service 1957830 - Creating thin disk from VM Portal on block storage fails 1971802 - Connection timeout when DNS server timeouts for IPv6 address resolution in mixed IPv4/IPv6 environments 1977232 - Create template broken with block storage 1977276 - Uploading ISO through RHV-M portal intermittently fails with error "Failed to add disk for image transfer command" 1979730 - Windows VM ends up with ghost NIC and missing secondary disks machine type changes from pc-q35-rhel8.3.0 to pc-q35-rhel8.4.0 1989324 - rhv-image-discrepancies should skip OVF_STORE 1992690 - [RFE] Customize 'oVirt Inventory Dashboard' to include cluster wide information about 'CPUs Overcommit' and 'Running VMs - CPU Cores vs. Total Hosts-CPU Cores' 2000364 - Engine fails to start, unable to read cloud-init network config from stateless snapshot configuration. 2001551 - Allow more granular checks with rhv-image-discrepancies 2001944 - Always log exception message which is raised during inserting into audit_log 2004444 - Try to enable cinderlib repos on host during host upgrade 2007550 - Change type of disk write/read rate from integer to long 2014017 - Can not download VM disks due to 'Cannot transfer Virtual Disk: Disk is locked' 6. Package List: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4: Source: ovirt-engine-4.4.9.2-0.6.el8ev.src.rpm ovirt-engine-dwh-4.4.9.1-1.el8ev.src.rpm ovirt-engine-extension-aaa-ldap-1.4.5-1.el8ev.src.rpm ovirt-engine-metrics-1.4.4-1.el8ev.src.rpm ovirt-web-ui-1.7.2-1.el8ev.src.rpm rhv-log-collector-analyzer-1.0.11-1.el8ev.src.rpm noarch: ovirt-engine-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-backend-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-dbscripts-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-dwh-4.4.9.1-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.4.9.1-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.4.9.1-1.el8ev.noarch.rpm ovirt-engine-extension-aaa-ldap-1.4.5-1.el8ev.noarch.rpm ovirt-engine-extension-aaa-ldap-setup-1.4.5-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-metrics-1.4.4-1.el8ev.noarch.rpm ovirt-engine-restapi-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-setup-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-setup-base-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-tools-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-tools-backup-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-vmconsole-proxy-helper-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-webadmin-portal-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-engine-websocket-proxy-4.4.9.2-0.6.el8ev.noarch.rpm ovirt-web-ui-1.7.2-1.el8ev.noarch.rpm python3-ovirt-engine-lib-4.4.9.2-0.6.el8ev.noarch.rpm rhv-log-collector-analyzer-1.0.11-1.el8ev.noarch.rpm rhvm-4.4.9.2-0.6.el8ev.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-7733 https://access.redhat.com/security/cve/CVE-2020-28469 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYZQXm9zjgjWX9erEAQgfGA//cT9M+SSFfEmyYDBEfwRL7zqst+bjsxJ5 B37q+1Ebo0JWHAsIgh0oluQ7WssqzCQp02bd4pZ3Mn8L0VzJ8/7ZO1czgHcjGxUN gew4JY3+wX3Bm2z16EwgMwuG4h9KZ9wajwe4oLvZGVny5bj/qc7Jb4yh1pw9IHIA rm3b4pSGxbqUh9cmiLMvf1gsIvLyHL3J5xu73TEjrFB8oSM4KnpC6Uqs5HMk/Qu6 6LRZpqFb+cOrLn7tarxIqZi9BODGo0jM6KImLZpWSQuiSeSlF7SuBAY8WtjRH9Yh bxl46OyPDk88pu4sHWVI7acM/ngkCDb6WCIigBqf0NlzVl2RSY42cd9n8sQrAMSg JRD3OpzZqMKVDfnoQEtxQrZCQJYLIgu0ALhZE5JwmzyuoK0EdMTs4xvStKB03cRy aVwXbol30esQCbk078kXROpgTB4GC+afBfAZqUb9K1XkngTfC/+hOUnvQgKruZ3H n4CB22UUGYJpqDhCqd+c+OssxTLp5qhhneruiayrxZyTYGrnmog4AaFvK5vdOz4u ofJHvb3z+s8Yjl0z50lQP3CzFdJfncYVwpsJxCa2dFwK6cKajiudP1aldx73Uyz7 Bxsr4hc2rmXmz70K5QhfuTN6Uz3qWNnxNFXDzZm+6+o98exRfqcI/Uuzdk7A6kMx o+zXeXdIuqM= =TrU3 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce