[RHSA-2017:0988-01] Important: qemu-kvm-rhev security update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Important: qemu-kvm-rhev security update

Advisory ID: RHSA-2017:0988-01

Product: Red Hat Enterprise Linux OpenStack Platform

Advisory URL: https://access.redhat.com/errata/RHSA-2017:0988

Issue date: 2017-04-18

CVE Names: CVE-2016-9603

=====================================================================

 

1. Summary:

 

An update for qemu-kvm-rhev is now available for Red Hat OpenStack Platform

10.0 (Newton).

 

Red Hat Product Security has rated this update as having a security impact

of Important. A Common Vulnerability Scoring System (CVSS) base score,

which gives a detailed severity rating, is available for each vulnerability

from the CVE link(s) in the References section.

 

2. Relevant releases/architectures:

 

Red Hat OpenStack Platform 10.0 - x86_64

 

3. Description:

 

KVM (Kernel-based Virtual Machine) is a full virtualization solution for

Linux on a variety of architectures. The qemu-kvm-rhev packages provide the

user-space component for running virtual machines that use KVM in

environments managed by Red Hat products.

 

Security Fix(es):

 

* Quick Emulator (QEMU), built with the Cirrus CLGD 54xx VGA Emulator and

the VNC display driver support, is vulnerable to a heap buffer overflow

issue. The issue could occur when a VNC client attempts to update its

display after a VGA operation is performed by a guest. A privileged

user/process inside guest could use this flaw to crash the QEMU process

resulting in DoS or, potentially, leverage it to execute arbitrary code on

the host with privileges of the QEMU process. (CVE-2016-9603)

 

4. Solution:

 

For details on how to apply this update, which includes the changes

described in this advisory, refer to:

 

https://access.redhat.com/articles/11258

 

After installing this update, shut down all running virtual machines. Once

all virtual machines have shut down, start them again for this update to

take effect.

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1430056 - CVE-2016-9603 Qemu: cirrus: heap buffer overflow via vnc connection

 

6. Package List:

 

Red Hat OpenStack Platform 10.0:

 

Source:

qemu-kvm-rhev-2.6.0-28.el7_3.9.src.rpm

 

x86_64:

qemu-img-rhev-2.6.0-28.el7_3.9.x86_64.rpm

qemu-kvm-common-rhev-2.6.0-28.el7_3.9.x86_64.rpm

qemu-kvm-rhev-2.6.0-28.el7_3.9.x86_64.rpm

qemu-kvm-rhev-debuginfo-2.6.0-28.el7_3.9.x86_64.rpm

qemu-kvm-tools-rhev-2.6.0-28.el7_3.9.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2016-9603

https://access.redhat.com/security/updates/classification/#important

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2017 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFY9n9MXlSAg2UNWIIRAuMRAJ0Ymt5ccGjw8wxDyqr4rF0YGasJHACfSCF1

6JnPQa1tGSEZwEIa4O5QQiI=

=ZmxC

-----END PGP SIGNATURE-----

 

 

--