-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: RHV RHEL Host (ovirt-host) [ovirt-4.5.2] security update Advisory ID: RHSA-2022:6392-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2022:6392 Issue date: 2022-09-08 CVE Names: CVE-2022-31129 ==================================================================== 1. Summary: Updated host packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Virtualization 4 Hypervisor for RHEL 8 - noarch, x86_64 Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - noarch, ppc64le, x86_64 3. Description: The ovirt-host package consolidates host package requirements into a single meta package. Security Fix(es): * moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * The hosted-engine-ha binaries have been moved from /usr/share to /usr/libexec. As a result, the hosted-engine --clean-metadata command fails. With this release, you must use the new path for the command to succeed: /usr/libexec/ovirt-hosted-engine-ha/ovirt-ha-agent (BZ#2105781) * A new warning has been added to the vdsm-tool to protect users from using the unsupported user_friendly_names multipath configuration. The following is an example of the output: $ vdsm-tool is-configured --module multipath WARNING: Invalid configuration: 'user_friendly_names' is enabled in multipath configuration: section1 { key1 value1 user_friendly_names yes key2 value2 } section2 { user_friendly_names yes } This configuration is not supported and may lead to storage domain corruption. (BZ#1793207) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/2974891 5. Bugs fixed (https://bugzilla.redhat.com/): 1793207 - [RFE] Notify if multipath User Friendly Names are used 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 2105781 - hosted-engine --clean-metadata fails because ovirt-ha-agent has changed location 2117558 - hosted-engine deploy failed since "Failed to configure OVN controller" 6. Package List: Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts: Source: cockpit-ovirt-0.16.2-1.el8ev.src.rpm mom-0.6.3-1.el8ev.src.rpm ovirt-host-4.5.0-3.1.el8ev.src.rpm ovirt-hosted-engine-setup-2.6.5-1.1.el8ev.src.rpm vdsm-4.50.2.2-1.el8ev.src.rpm noarch: cockpit-ovirt-dashboard-0.16.2-1.el8ev.noarch.rpm mom-0.6.3-1.el8ev.noarch.rpm ovirt-hosted-engine-setup-2.6.5-1.1.el8ev.noarch.rpm vdsm-api-4.50.2.2-1.el8ev.noarch.rpm vdsm-client-4.50.2.2-1.el8ev.noarch.rpm vdsm-common-4.50.2.2-1.el8ev.noarch.rpm vdsm-hook-cpuflags-4.50.2.2-1.el8ev.noarch.rpm vdsm-hook-ethtool-options-4.50.2.2-1.el8ev.noarch.rpm vdsm-hook-fcoe-4.50.2.2-1.el8ev.noarch.rpm vdsm-hook-localdisk-4.50.2.2-1.el8ev.noarch.rpm vdsm-hook-nestedvt-4.50.2.2-1.el8ev.noarch.rpm vdsm-hook-openstacknet-4.50.2.2-1.el8ev.noarch.rpm vdsm-hook-vhostmd-4.50.2.2-1.el8ev.noarch.rpm vdsm-http-4.50.2.2-1.el8ev.noarch.rpm vdsm-jsonrpc-4.50.2.2-1.el8ev.noarch.rpm vdsm-python-4.50.2.2-1.el8ev.noarch.rpm vdsm-yajsonrpc-4.50.2.2-1.el8ev.noarch.rpm ppc64le: ovirt-host-4.5.0-3.1.el8ev.ppc64le.rpm ovirt-host-dependencies-4.5.0-3.1.el8ev.ppc64le.rpm vdsm-4.50.2.2-1.el8ev.ppc64le.rpm vdsm-hook-checkips-4.50.2.2-1.el8ev.ppc64le.rpm vdsm-hook-extra-ipv4-addrs-4.50.2.2-1.el8ev.ppc64le.rpm vdsm-network-4.50.2.2-1.el8ev.ppc64le.rpm x86_64: ovirt-host-4.5.0-3.1.el8ev.x86_64.rpm ovirt-host-dependencies-4.5.0-3.1.el8ev.x86_64.rpm vdsm-4.50.2.2-1.el8ev.x86_64.rpm vdsm-gluster-4.50.2.2-1.el8ev.x86_64.rpm vdsm-hook-checkips-4.50.2.2-1.el8ev.x86_64.rpm vdsm-hook-extra-ipv4-addrs-4.50.2.2-1.el8ev.x86_64.rpm vdsm-network-4.50.2.2-1.el8ev.x86_64.rpm Red Hat Virtualization 4 Hypervisor for RHEL 8: Source: vdsm-4.50.2.2-1.el8ev.src.rpm noarch: vdsm-hook-cpuflags-4.50.2.2-1.el8ev.noarch.rpm vdsm-hook-ethtool-options-4.50.2.2-1.el8ev.noarch.rpm vdsm-hook-fcoe-4.50.2.2-1.el8ev.noarch.rpm vdsm-hook-localdisk-4.50.2.2-1.el8ev.noarch.rpm vdsm-hook-nestedvt-4.50.2.2-1.el8ev.noarch.rpm vdsm-hook-openstacknet-4.50.2.2-1.el8ev.noarch.rpm vdsm-hook-vhostmd-4.50.2.2-1.el8ev.noarch.rpm x86_64: vdsm-hook-checkips-4.50.2.2-1.el8ev.x86_64.rpm vdsm-hook-extra-ipv4-addrs-4.50.2.2-1.el8ev.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-31129 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYxnqTdzjgjWX9erEAQiNbA/9G9lOFrtKKG6l7bPN6MKdy5EWPennb+m4 PxtfLeRcxJP+5cp9TFi+V39yplgzJtCkKJ7r1xshnsoY4wcUKNqcv3EF5jpDnC1c DzD/P/7kJ/5e7Rcdmz7tyrJ6F9P8DjTUQle6XDVrOLa6+ahnG9fSLASnTXlTFBLk IZrzF5mZn4uR324Rrc70Xr3+O2ulKXSiCQnUYGw0N/TzGmnozvnjJ6ghTOHF6rn2 jYubhL9aBYV5Y5Wd5dbc7VAI7L63gSqmu1UIxg/2Gj3cQe8qiu9Bb+QZeZ5/QKQi 0h3sAK/UNbC17NzUGlM/vM3JMhLRbRB7seQW+xe5lOLPhhRH65nkf9HbPPTVx4M6 gIsWiootMSqMvudLjUBD1E+OxqpNE32LaQkE7BBiIi54t8XanWq303aB0g2Ds4tm maTKT9p/FLXuP8/3HRr4rq8b/RikI+oVFGuzMkVnEZwrVYotfi4BwVx9nMeCeSxg HToo/NSzahD35WvUZrUDypJIlS3KH8SjeQOneuqtqno2X/XYdYf+Zm2t8UFJ75M9 x1QWTzo3GlPpq5lsN/sKO+TSYTzAo1Wxeld2FHRsjgEtHWruE/l1hPnnaKd2pEX7 yAjTC9umYVohpfCCIzM4okJB6/UTWD6XpvqUJYKhBInAkOUS53Y0RHKsSRSYea/D /T1+LoObZB0=0UC5 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce