Security Advisory Moderate: Red Hat Enterprise Virtualization Manager security update

Advisory: RHSA-2010:0478-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-06-22
Last updated on: 2010-06-22
Affected Products: Red Hat Enterprise Virtualization
CVEs ( CVE-2010-2224


Red Hat Enterprise Virtualization Manager 2.2 is now available for Red Hat
Enterprise Virtualization.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Red Hat Enterprise Virtualization Manager is a visual tool for centrally
managing collections of virtual servers running Red Hat Enterprise Linux
and Microsoft Windows. This package also includes the Red Hat Enterprise
Virtualization Manager API, a set of scriptable commands that give
administrators the ability to perform queries and operations on Red Hat
Enterprise Virtualization Manager. Major changes in version 2.2 include an
import and export capability, and desktop support (VDI).

It was found that Red Hat Enterprise Virtualization Manager did not
correctly pass the postzero parameter for deleted volumes after snapshot
merging. This resulted in such volumes not being securely deleted as
expected. A guest user in a new, raw virtual machine (VM), created in a
data domain that has had VMs deleted from it, could use this flaw to read
limited data from those deleted VMs, potentially disclosing sensitive
information. (CVE-2010-2224)

This update provides updated components that include fixes for security
issues; however, these issues have no security impact for Red Hat
Enterprise Virtualization Manager. These fixes are for expat issues
CVE-2009-3560 and CVE-2009-3720; libpng issues CVE-2007-5266,
CVE-2007-5267, CVE-2007-5268, CVE-2007-5269, CVE-2008-1382, CVE-2008-5907,
CVE-2008-6218, CVE-2009-0040, CVE-2009-2042, and CVE-2010-0205; and openssl
issues CVE-2008-5077, CVE-2009-0590, CVE-2009-1377, CVE-2009-1378,
CVE-2009-1379, CVE-2009-1386, CVE-2009-1387, CVE-2009-2409, CVE-2009-3555,
CVE-2009-4355, and CVE-2010-0433.

This update also fixes several bugs and adds several enhancements.
Documentation for these bug fixes and enhancements is available from

All Red Hat Enterprise Virtualization Manager users should install this
updated package, which corrects this issue, and fixes the bugs and adds the
enhancements noted in the "Manager Security Update" document, linked to in
the References.


Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

Updated packages

(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

606774 - CVE-2010-2224 rhev-m: merge snapshot does not pass postzero parameter for deleted volumes


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at