Synopsis
The remote Red Hat host is missing one or more security updates.
Description
An update for imgbased, redhat-release-virtualization-host, and
redhat-virtualization-host is now available for Red Hat Virtualization
4 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The redhat-virtualization-host packages provide the Red Hat
Virtualization Host. These packages include
redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor.
Red Hat Virtualization Hosts (RHVH) are installed using a special
build of Red Hat Enterprise Linux with only the packages required to
host virtual machines. RHVH features a Cockpit user interface for
monitoring the host's resources and performing administrative tasks.
Security Fix(es) :
* spice: Missing check in demarshal.py:write_validate_array_item()
allows for buffer overflow and denial of service (CVE-2018-10873)
* glusterfs: Multiple flaws (CVE-2018-10904, CVE-2018-10907,
CVE-2018-10923, CVE-2018-10926, CVE-2018-10927, CVE-2018-10928,
CVE-2018-10929, CVE-2018-10930, CVE-2018-10911, CVE-2018-10914,
CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659,
CVE-2018-14660, CVE-2018-14661, CVE-2018-10913)
* samba: Insufficient input validation in libsmbclient
(CVE-2018-10858)
For more details about the security issue(s), including the impact, a
CVSS score, and other related information, refer to the CVE page(s)
listed in the References section.
Red Hat would like to thank Michael Hanselmann (hansmi.ch) for
reporting CVE-2018-10904, CVE-2018-10907, CVE-2018-10923,
CVE-2018-10926, CVE-2018-10927, CVE-2018-10928, CVE-2018-10929,
CVE-2018-10930, CVE-2018-10911, CVE-2018-10914, CVE-2018-14652,
CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660,
CVE-2018-14661, and CVE-2018-10913. The CVE-2018-10873 issue was
discovered by Frediano Ziglio (Red Hat).
Bug Fix(es) :
* When upgrading Red Hat Virtualization Host (RHVH), imgbased fails to
run garbage collection on previous layers, so new logical volumes are
removed, and the boot entry points to a logical volume that was
removed.
If the RHVH upgrade finishes successfully, the hypervisor boots
successfully, even if garbage collection fails. (BZ#1632058)
* During the upgrade process, when lvremove runs garbage collection,
it prompts for user confirmation, causing the upgrade process to fail.
Now the process uses 'lvremove --force' when trying to remove logical
volumes and does not fail even if garbage collection fails, and as a
result, the upgrade process finishes successfully. (BZ#1632585)
Solution
Update the affected packages.