Skip to navigation

Security Advisory Moderate: rhev 3.2.2 - vdsm security and bug fix update

Advisory: RHSA-2013:1155-2
Type: Security Advisory
Severity: Moderate
Issued on: 2013-08-13
Last updated on: 2013-08-21
Affected Products: Red Hat Enterprise Virtualization 3
Red Hat Enterprise Virtualization 3.2
CVEs (cve.mitre.org): CVE-2013-4236

Details

Updated vdsm packages that fix one security issue and various bugs are now
available.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

[Updated 21 August 2013]
The packages list in this erratum has been updated to include missing
packages for the "Red Hat Enterprise Virt Management Agent (v 6 x86_64)"
channel (also known as "rhel-x86_64-rhev-mgmt-agent-6"). No changes have
been made to the original packages.

VDSM is a management module that serves as a Red Hat Enterprise
Virtualization Manager agent on Red Hat Enterprise Virtualization
Hypervisor or Red Hat Enterprise Linux hosts.

It was found that the fix for CVE-2013-0167 released via RHSA-2013:0886
was incomplete. A privileged guest user could potentially use this flaw to
make the host the guest is running on unavailable to the management
server. (CVE-2013-4236)

This issue was found by David Gibson of Red Hat.

This update also fixes the following bugs:

* Previously, failure to move a disk produced a 'truesize' exit message,
which was not informative. Now, failure to move a disk produces a more
helpful error message explaining that the volume is corrupted or missing.
(BZ#985556)

* The LVM filter has been updated to only access physical volumes by full
/dev/mapper paths in order to improve performance. This replaces the
previous behavior of scanning all devices including logical volumes on
physical volumes. (BZ#983599)

* The log collector now collects /var/log/sanlock.log from Hypervisors, to
assist in debugging sanlock errors. (BZ#987042)

* When the poollist parameter was not defined, dumpStorageTable crashed,
causing SOS report generation to fail with the error 'IndexError: list
index out of range'. VDSM now handles this exception, so the log collector
can generate host SOS reports. (BZ#985069)

* Previously, VDSM used the memAvailable parameter to report available
memory on a host, which could return negative values if memory
overcommitment was in use. Now, the new memFree parameter returns the
actual amount of free memory on a host. (BZ#982639)

All users managing Red Hat Enterprise Linux Virtualization hosts using Red
Hat Enterprise Virtualization Manager are advised to install these updated
packages, which fix these issues.

These updated packages will be provided to users of Red Hat Enterprise
Virtualization Hypervisor in the next rhev-hypervisor6 errata package.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Enterprise Virtualization 3

SRPMS:
vdsm-4.10.2-24.0.el6ev.src.rpm
File outdated by:  RHBA-2014:0024
    MD5: 9eb0c3c81854137bda02e16901f27117
SHA-256: a4634bf3f8fe81da191c61b6f57df4760403ae8a3c7e61a85dfe7dc9a54196d8
 
x86_64:
vdsm-4.10.2-24.0.el6ev.x86_64.rpm
File outdated by:  RHBA-2014:0392
    MD5: 5ac05b5b6080405616e0be977cddc6a4
SHA-256: bddc4a5cc2af72a7af856a317d5f7316a730221128b6efa3d0132084dfa8985a
vdsm-bootstrap-4.10.2-24.0.el6ev.noarch.rpm
File outdated by:  RHBA-2014:0024
    MD5: 25466c8f02225ff697510115814c2344
SHA-256: 305d80ae116e00281f48e994aeee6e318ba195d95c82277ddb811c215f2fc331
vdsm-cli-4.10.2-24.0.el6ev.noarch.rpm
File outdated by:  RHBA-2014:0392
    MD5: f97ece394a6827cc43ee9c0985d81a70
SHA-256: 8646620b54c533fae8fc9c98ff6326cf1aa7ff35175e71291b83f9dbcb0297f8
vdsm-debuginfo-4.10.2-24.0.el6ev.x86_64.rpm
File outdated by:  RHBA-2014:0392
    MD5: df4eb04785aabe067ba4814d8bcd0620
SHA-256: 22b2bcc0964c18d3aa222a15405a4aa827811077f98fe0a3774b1a4f3cfc4983
vdsm-hook-vhostmd-4.10.2-24.0.el6ev.noarch.rpm
File outdated by:  RHBA-2014:0392
    MD5: b7c5cf13e3bc4b3c0aca7888b27fd04a
SHA-256: 71f84371daace21d56b4847e956434a7fd75febff1400efda1b2e188649782ad
vdsm-python-4.10.2-24.0.el6ev.x86_64.rpm
File outdated by:  RHBA-2014:0392
    MD5: 3912f738944aa5d251c3614e7298baaa
SHA-256: 5d64560aa684ed400426ba2f77eb3938670c2b3e66c6717cfe4161622eb04116
vdsm-reg-4.10.2-24.0.el6ev.noarch.rpm
File outdated by:  RHBA-2014:0392
    MD5: 1435456a7e6cf92070cfb18178c5cbfa
SHA-256: d3d1825906c1ef50beba7922438778961240a45ccf3b9002cda0e566f8912c42
vdsm-xmlrpc-4.10.2-24.0.el6ev.noarch.rpm
File outdated by:  RHBA-2014:0392
    MD5: 1989a4acefce9ea288a50104460ff390
SHA-256: ca9e5e227b8ee1b404d5bc803bc3b5f44ac8951dfafe475425c4636408eb5e74
 
Red Hat Enterprise Virtualization 3.2

SRPMS:
vdsm-4.10.2-24.0.el6ev.src.rpm
File outdated by:  RHBA-2014:0024
    MD5: 9eb0c3c81854137bda02e16901f27117
SHA-256: a4634bf3f8fe81da191c61b6f57df4760403ae8a3c7e61a85dfe7dc9a54196d8
 
x86_64:
vdsm-bootstrap-4.10.2-24.0.el6ev.noarch.rpm
File outdated by:  RHBA-2014:0024
    MD5: 25466c8f02225ff697510115814c2344
SHA-256: 305d80ae116e00281f48e994aeee6e318ba195d95c82277ddb811c215f2fc331
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

982639 - vdsm is reporting negative values for available memory
983599 - Change lvm filter to access RHEV PVs only by full path /dev/mapper/wwid
985556 - vdsm: failure to move disk with 'truesize' error in vdsm will show the same exit message in event log
987042 - logcollector does not collect /var/log/sanlock.log from hypervisors
996166 - CVE-2013-4236 vdsm: incomplete fix for CVE-2013-0167 issue


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/