Headline
RHSA-2021:4191: Red Hat Security Advisory: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update
An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Security Fix(es):
- QEMU: net: e1000e: use-after-free while sending packets (CVE-2020-15859)
- QEMU: slirp: invalid pointer initialization may lead to information disclosure (bootp) (CVE-2021-3592)
- QEMU: slirp: invalid pointer initialization may lead to information disclosure (udp6) (CVE-2021-3593)
- QEMU: slirp: invalid pointer initialization may lead to information disclosure (udp) (CVE-2021-3594)
- QEMU: slirp: invalid pointer initialization may lead to information disclosure (tftp) (CVE-2021-3595)
- libvirt: Insecure sVirt label generation (CVE-2021-3631)
- libvirt: Improper locking on ACL failure in virStoragePoolLookupByTargetPath API (CVE-2021-3667) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. Related CVEs:
- CVE-2020-15859: QEMU: net: e1000e: use-after-free while sending packets
- CVE-2021-3592: QEMU: slirp: invalid pointer initialization may lead to information disclosure (bootp)
- CVE-2021-3593: QEMU: slirp: invalid pointer initialization may lead to information disclosure (udp6)
- CVE-2021-3594: QEMU: slirp: invalid pointer initialization may lead to information disclosure (udp)
- CVE-2021-3595: QEMU: slirp: invalid pointer initialization may lead to information disclosure (tftp)
- CVE-2021-3631: libvirt: Insecure sVirt label generation
- CVE-2021-3667: libvirt: Improper locking on ACL failure in virStoragePoolLookupByTargetPath API
Related news
An update for the rust-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Rust Toolset provides the Rust programming language compiler rustc, the cargo build tool and dependency manager, and required libraries. Security Fix(es): * Developer environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks (CVE-2021-42574) The following changes were introduced in rust in order to facilitate detection of BiDi Unicode characters: Rust introduces two new lints to detect and reject code containing the affected codepoints. These new deny-by-default lints detect affected codepoints in string literals and comments. The lints will prevent source code file containing these codepoints...
An update for java-17-openjdk is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. Security Fix(es): * OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689) (CVE-2021-35567) * OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167) (CVE-2021-35556) * OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580) (CVE-2021-35559) * OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097) (CVE-2021-35561) * OpenJDK: Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137) (CVE-2021-3556...
An update for the rust-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Rust Toolset provides the Rust programming language compiler rustc, the cargo build tool and dependency manager, and required libraries. The following packages have been upgraded to a later upstream version: rust (1.54.0). (BZ#1945805) Security Fix(es): * rust: incorrect parsing of extraneous zero characters at the beginning of an IP address string (CVE-2021-29922) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the ...
An update for the virt:av and virt-devel:av modules is now available for Red Hat Enterprise Linux Advanced Virtualization 8.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The Advanced Virtualization module provides the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Security Fix(es): * QEMU: virtio-net: heap use-after-free in virtio_net_receive_rcu (CVE-2021-3748) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * qemu-img convert --bitmaps fail if a bitmap is inconsistent (BZ#1993308) * fails to revert snapshot of a VM [balloon/page-poison] (BZ#2005425) * ...
The Red Hat Build of OpenJDK 11 (java-11-openjdk) is now available for portable Linux. Red Hat Product Security has rated this update as having a security impact of Imporant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The OpenJDK 11 packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. This release of the Red Hat build of OpenJDK 11 (11.0.13) for portable Linux serves as a replacement for the Red Hat build of OpenJDK 11 (11.0.12) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Security Fix(es): * OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967) (CVE-2021-35565) * OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689) (CVE-2021-...
The Red Hat Build of OpenJDK 11 (java-11-openjdk) is now available for Windows. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The OpenJDK 11 packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. This release of the Red Hat build of OpenJDK 11 (11.0.13) for Windows serves as a replacement for the Red Hat build of OpenJDK 11 (11.0.12) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Security Fix(es): * OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967) (CVE-2021-35565) * OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689) (CVE-2021-35567) * Open...
The Red Hat Build of OpenJDK 8 (java-1.8.0-openjdk) is now available for portable Linux. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. This release of the Red Hat build of OpenJDK 8 (1.8.0.312) for portable Linux serves as a replacement for Red Hat build of OpenJDK 8 (1.8.0.302) and includes security and bug fixes as well as enhancements. For further information, refer to the release notes linked to in the References section. Security Fix(es): * OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967) (CVE-2021-35565) * OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689) (CVE-2...
The Red Hat Build of OpenJDK 8 (java-1.8.0-openjdk) is now available for Windows. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. This release of the Red Hat build of OpenJDK 8 (1.8.0.312) for Windows serves as a replacement for the Red Hat build of OpenJDK 8 (1.8.0.302) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Security Fix(es): * OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967) (CVE-2021-35565) * OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689) (CVE-2021-35567) * Ope...