RHEL 7 : Virtualization Manager (RHSA-2018:3470)
Medium Nessus Plugin ID 118790
Synopsis
The remote Red Hat host is missing one or more security updates.
Description
An update for imgbased, redhat-release-virtualization-host, and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor.
Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
Security Fix(es) :
* spice: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service (CVE-2018-10873)
* glusterfs: Multiple flaws (CVE-2018-10904, CVE-2018-10907, CVE-2018-10923, CVE-2018-10926, CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, CVE-2018-10911, CVE-2018-10914, CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660, CVE-2018-14661, CVE-2018-10913)
* samba: Insufficient input validation in libsmbclient (CVE-2018-10858)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Michael Hanselmann (hansmi.ch) for reporting CVE-2018-10904, CVE-2018-10907, CVE-2018-10923, CVE-2018-10926, CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, CVE-2018-10911, CVE-2018-10914, CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660, CVE-2018-14661, and CVE-2018-10913. The CVE-2018-10873 issue was discovered by Frediano Ziglio (Red Hat).
Bug Fix(es) :
* When upgrading Red Hat Virtualization Host (RHVH), imgbased fails to run garbage collection on previous layers, so new logical volumes are removed, and the boot entry points to a logical volume that was removed.
If the RHVH upgrade finishes successfully, the hypervisor boots successfully, even if garbage collection fails. (BZ#1632058)
* During the upgrade process, when lvremove runs garbage collection, it prompts for user confirmation, causing the upgrade process to fail.
Now the process uses 'lvremove --force' when trying to remove logical volumes and does not fail even if garbage collection fails, and as a result, the upgrade process finishes successfully. (BZ#1632585)
Solution
Update the affected packages.