Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2010.0746 Important: rhev-hypervisor security and bug fix update 20 August 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: rhev-hypervisor Publisher: Red Hat Operating System: Red Hat Enterprise Virtualization Hypervisor 5 Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Remote with User Interaction Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2010-2811 CVE-2010-2784 CVE-2010-2541 CVE-2010-2527 CVE-2010-2524 CVE-2010-2521 CVE-2010-2519 CVE-2010-2500 CVE-2010-2499 CVE-2010-2498 CVE-2010-2248 CVE-2010-2244 CVE-2010-2226 CVE-2010-2070 CVE-2010-2066 CVE-2010-1797 CVE-2010-1084 CVE-2010-0435 CVE-2010-0431 CVE-2010-0429 CVE-2010-0428 CVE-2010-0212 CVE-2010-0211 CVE-2009-0758 Reference: ESB-2010.0720 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2010-0622.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: rhev-hypervisor security and bug fix update Advisory ID: RHSA-2010:0622-01 Product: Red Hat Enterprise Virtualization Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0622.html Issue date: 2010-08-19 CVE Names: CVE-2010-0428 CVE-2010-0429 CVE-2010-0431 CVE-2010-0435 CVE-2010-2784 CVE-2010-2811 ===================================================================== 1. Summary: Updated rhev-hypervisor packages that fix multiple security issues and two bugs are now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Virtualization Hypervisor 5 - noarch 3. Description: The rhev-hypervisor package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. It was found that the libspice component of QEMU-KVM on the host did not validate all pointers provided from a guest system's QXL graphics card driver. A privileged guest user could use this flaw to cause the host to dereference an invalid pointer, causing the guest to crash (denial of service) or, possibly, resulting in the privileged guest user escalating their privileges on the host. (CVE-2010-0428) It was found that the libspice component of QEMU-KVM on the host could be forced to perform certain memory management operations on memory addresses controlled by a guest. A privileged guest user could use this flaw to crash the guest (denial of service) or, possibly, escalate their privileges on the host. (CVE-2010-0429) It was found that QEMU-KVM on the host did not validate all pointers provided from a guest system's QXL graphics card driver. A privileged guest user could use this flaw to cause the host to dereference an invalid pointer, causing the guest to crash (denial of service) or, possibly, resulting in the privileged guest user escalating their privileges on the host. (CVE-2010-0431) A flaw was found in QEMU-KVM, allowing the guest some control over the index used to access the callback array during sub-page MMIO initialization. A privileged guest user could use this flaw to crash the guest (denial of service) or, possibly, escalate their privileges on the host. (CVE-2010-2784) A NULL pointer dereference flaw was found when Red Hat Enterprise Virtualization Hypervisor was run on a system that has a processor with the Intel VT-x extension enabled. A privileged guest user could use this flaw to trick the host into emulating a certain instruction, which could crash the host (denial of service). (CVE-2010-0435) A flaw was found in the way VDSM accepted SSL connections. An attacker could trigger this flaw by creating a crafted SSL connection to VDSM, preventing VDSM from accepting SSL connections from other users. (CVE-2010-2811) These updated packages provide updated components that include fixes for security issues; however, these issues have no security impact for Red Hat Enterprise Virtualization Hypervisor. These fixes are for avahi issues CVE-2009-0758 and CVE-2010-2244; freetype issues CVE-2010-1797, CVE-2010-2498, CVE-2010-2499, CVE-2010-2500, CVE-2010-2519, CVE-2010-2527, and CVE-2010-2541; kernel issues CVE-2010-1084, CVE-2010-2066, CVE-2010-2070, CVE-2010-2226, CVE-2010-2248, CVE-2010-2521, and CVE-2010-2524; and openldap issues CVE-2010-0211 and CVE-2010-0212. These updated rhev-hypervisor packages also fix two bugs. Documentation for these bug fixes will be available shortly from http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization_for_Ser vers/2.2/html/Technical_Notes/index.html As Red Hat Enterprise Virtualization Hypervisor is based on KVM, the bug fixes from the KVM update RHSA-2010:0627 have been included in this update. Also included are the bug fixes from the VDSM update RHSA-2010:0628. KVM: https://rhn.redhat.com/errata/RHSA-2010-0627.html VDSM: https://rhn.redhat.com/errata/RHSA-2010-0628.html Users of Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to these updated rhev-hypervisor packages, which resolve these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 568699 - CVE-2010-0428 libspice: Insufficient guest provided pointers validation 568701 - CVE-2010-0429 libspice: Relying on guest provided data structures to indicate memory allocation 568809 - CVE-2010-0431 qemu: Insufficient guest provided pointers validation 570528 - CVE-2010-0435 kvm: vmx null pointer dereference 619411 - CVE-2010-2784 qemu: insufficient constraints checking in exec.c:subpage_register() 622928 - CVE-2010-2811 vdsm: SSL accept() blocks on a non-blocking Connection 6. Package List: Red Hat Enterprise Virtualization Hypervisor 5: Source: rhev-hypervisor-5.5-2.2.6.1.el5_5rhev2_2.src.rpm noarch: rhev-hypervisor-5.5-2.2.6.1.el5_5rhev2_2.noarch.rpm rhev-hypervisor-pxe-5.5-2.2.6.1.el5_5rhev2_2.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-0428.html https://www.redhat.com/security/data/cve/CVE-2010-0429.html https://www.redhat.com/security/data/cve/CVE-2010-0431.html https://www.redhat.com/security/data/cve/CVE-2010-0435.html https://www.redhat.com/security/data/cve/CVE-2010-2784.html https://www.redhat.com/security/data/cve/CVE-2010-2811.html http://www.redhat.com/security/updates/classification/#important http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization_for_Servers/2.2/html/Technical_Notes/index.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMbax7XlSAg2UNWIIRAs1dAKC+Aw8pQm0UArmWQFnQy6Ils9AF4wCbBqhS HU6TUfQpofSPFwp/iZD5XJo= =Cr2o - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFMbf5i/iFOrG6YcBERAvQZAJ0fLCQy4C2SJC/d/w1ZuM6jtSDy/gCfeHcb TBxj/0Blq+irzVntPiQC4ag= =e1aZ -----END PGP SIGNATURE-----