RedHat: RHSA-2021-2519:01 Important: RHV-H security update
Summary
The redhat-virtualization-host packages provide the Red Hat Virtualization
Host.
These packages include redhat-release-virtualization-host. Red Hat
Virtualization Hosts (RHVH) are installed using a special build of Red Hat
Enterprise Linux with only the packages required to host virtual machines.
RHVH features a Cockpit user interface for monitoring the host's resources
and
performing administrative tasks.
Security Fix(es):
* glib: integer overflow in g_bytes_new function on 64-bit platforms due to
an implicit cast from 64 bits to 32 bits (CVE-2021-27219)
* hw: vt-d related privilege escalation (CVE-2020-24489)
* dhcp: stack-based buffer overflow when parsing statements with
colon-separated hex digits in config or lease files in dhcpd and dhclient
(CVE-2021-25217)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Summary
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/2974891
References
https://access.redhat.com/security/cve/CVE-2020-24489 https://access.redhat.com/security/cve/CVE-2021-25217 https://access.redhat.com/security/cve/CVE-2021-27219 https://access.redhat.com/security/updates/classification/#important
Package List
Red Hat Virtualization 4 Hypervisor for RHEL 7:
Source:
redhat-virtualization-host-4.3.16-20210615.0.el7_9.src.rpm
noarch:
redhat-virtualization-host-image-update-4.3.16-20210615.0.el7_9.noarch.rpm
RHEL 7-based RHEV-H for RHEV 4 (build requirements):
Source:
redhat-release-virtualization-host-4.3.16-1.el7ev.src.rpm
redhat-virtualization-host-4.3.16-20210615.0.el7_9.src.rpm
noarch:
redhat-virtualization-host-image-update-4.3.16-20210615.0.el7_9.noarch.rpm
redhat-virtualization-host-image-update-placeholder-4.3.16-1.el7ev.noarch.rpm
x86_64:
redhat-release-virtualization-host-4.3.16-1.el7ev.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
An update for redhat-virtualization-host is now available for Red HatVirtualization 4 for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topic
Relevant Releases Architectures
RHEL 7-based RHEV-H for RHEV 4 (build requirements) - noarch, x86_64
Red Hat Virtualization 4 Hypervisor for RHEL 7 - noarch
Bugs Fixed
1929858 - CVE-2021-27219 glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits
1948377 - Rebase RHV-H 4.3 EUS on RHGS 3.5.z on RHEL 7 - Batch Update 4
1957238 - Rebase RHV-H 4.3 EUS on RHEL 7.9.z #6
1962650 - CVE-2020-24489 hw: vt-d related privilege escalation
1963258 - CVE-2021-25217 dhcp: stack-based buffer overflow when parsing statements with colon-separated hex digits in config or lease files in dhcpd and dhclient