-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2694
 RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update
                               6 August 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           RHV Manager (ovirt-engine) 4.4
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Cross-site Scripting            -- Remote with User Interaction
                   Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Unauthorised Access             -- Remote/Unauthenticated      
                   Reduced Security                -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-11023 CVE-2020-11022 CVE-2020-10775
                   CVE-2020-7598 CVE-2019-19336 CVE-2019-17195
                   CVE-2019-13990 CVE-2019-10086 CVE-2019-8331
                   CVE-2017-18635  

Reference:         ESB-2020.2619
                   ESB-2020.2555
                   ESB-2020.2375
                   ESB-2020.2319
                   ESB-2020.2287

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:3247

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update
Advisory ID:       RHSA-2020:3247-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3247
Issue date:        2020-08-04
CVE Names:         CVE-2017-18635 CVE-2019-8331 CVE-2019-10086 
                   CVE-2019-13990 CVE-2019-17195 CVE-2019-19336 
                   CVE-2020-7598 CVE-2020-10775 CVE-2020-11022 
                   CVE-2020-11023 
=====================================================================

1. Summary:

Updated ovirt-engine packages that fix several bugs and add various
enhancements are now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch, x86_64

3. Description:

The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning. 

The Manager is a JBoss Application Server application that provides several
interfaces through which the virtual environment can be accessed and
interacted with, including an Administration Portal, a VM Portal, and a
Representational State Transfer (REST) Application Programming Interface
(API).

A list of bugs fixed in this update is available in the Technical Notes
book:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/ht
ml-single/technical_notes

Security Fix(es):

* apache-commons-beanutils: does not suppresses the class property in
PropertyUtilsBean by default (CVE-2019-10086)

* libquartz: XXE attacks via job description (CVE-2019-13990)

* novnc: XSS vulnerability via the messages propagated to the status field
(CVE-2017-18635)

* bootstrap: XSS in the tooltip or popover data-template attribute
(CVE-2019-8331)

* nimbus-jose-jwt: Uncaught exceptions while parsing a JWT (CVE-2019-17195)

* ovirt-engine: response_type parameter allows reflected XSS
(CVE-2019-19336)

* nodejs-minimist: prototype pollution allows adding or modifying
properties of Object.prototype using a constructor or __proto__ payload
(CVE-2020-7598)

* ovirt-engine: Redirect to arbitrary URL allows for phishing
(CVE-2020-10775)

* Cross-site scripting due to improper injQuery.htmlPrefilter method
(CVE-2020-11022)

* jQuery: passing HTML containing <option> elements to manipulation methods
could result in untrusted code execution (CVE-2020-11023)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

1080097 - [RFE] Allow editing disks details in the Disks tab
1325468 - [RFE] Autostart of VMs that are down (with Engine assistance - Engine has to be up)
1358501 - [RFE] multihost network change - notify when done
1427717 - [RFE] Create and/or select affinity group upon VM creation.
1475774 - RHV-M requesting four GetDeviceListVDSCommand when editing storage domain
1507438 - not able to deploy new rhvh host when "/tmp" is mounted with "noexec" option
1523835 - Hosted-Engine: memory hotplug does not work for engine vm
1527843 - [Tracker] Q35 chipset support (with seabios)
1529042 - [RFE] Changing of Cluster CPU Type does not trigger config update notification
1535796 - Undeployment of HE is not graceful
1546838 - [RFE] Refuse to deploy on localhost.localdomain
1547937 - [RFE] Live Storage Migration progress bar.
1585986 - [HE] When lowering the cluster compatibility, we need to force update the HE storage OVF store to ensure it can start up (migration will not work).
1593800 - [RFE] forbid new mac pools with overlapping ranges
1596178 - inconsistent display between automatic and manual Pool Type
1600059 - [RFE] Add by default a storage lease to HA VMs
1610212 - After updating to RHV 4.1 while trying to edit the disk, getting error "Cannot edit Virtual Disk. Cannot edit Virtual Disk. Disk extension combined with disk compat version update isn't supported. Please perform the updates separately."
1611395 - Unable to list Compute Templates in RHV 4.2 from Satellite 6.3.2
1616451 - [UI] add a tooltip to explain the supported matrix for the combination of disk allocation policies, formats and the combination result
1637172 - Live Merge hung in the volume deletion phase,  leaving snapshot in a LOCKED state
1640908 - Javascript Error popup when Managing StorageDomain with LUNs and 400+ paths
1642273 - [UI] - left nav border highlight missing in RHV
1647440 - [RFE][UI] Provide information about the VM next run
1648345 - Jobs are not properly cleaned after a failed task.
1650417 - HA is broken for VMs having disks in NFS storage domain because of Qemu OFD locking
1650505 - Increase of ClusterCompatibilityVersion to Cluster with virtual machines with outstanding configuration changes, those changes will be reverted
1651406 - [RFE] Allow Maintenance of Host with Enforcing VM Affinity Rules (hard affinity)
1651939 - a new size of the direct LUN not updated in Admin Portal
1654069 - [Downstream Clone] [UI] - grids bottom scrollbar hides bottom row
1654889 - [RFE] Support console VNC for mediated devices
1656621 - Importing VM OVA always enables 'Cloud-Init/Sysprep'
1658101 - [RESTAPI] Adding ISO disables serial console
1659161 - Unable to edit pool that is delete protected
1660071 - Regression in Migration of VM that starts in pause mode: took 11 hours
1660644 - Concurrent LSMs of the same disk can be issued via the REST-API
1663366 - USB selection option disabled even though USB support is enabled in RHV-4.2
1664479 - Third VM fails to get migrated when host is placed into maintenance mode
1666913 - [UI] warn users about different "Vdsm Name" when creating network with a fancy char or long name
1670102 - [CinderLib] - openstack-cinder and cinderlib packages are not installed on ovirt-engine machine
1671876 - "Bond Active Slave" parameter on RHV-M GUI shows an incorrect until Refresh Caps
1679039 - Unable to upload image through Storage->Domain->Disk because of wrong DC
1679110 - [RFE] change Admin Portal toast notifications location
1679471 - [ja, de, es, fr, pt_BR] The console client resources page shows truncated title for some locales
1679730 - Warn about host IP addresses outside range
1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
1686650 - Memory snapshots' deletion logging unnecessary WARNINGS in engine.log
1687345 - Snapshot with memory volumes can fail if the memory dump takes more than 180 seconds
1690026 - [RFE] - Creating an NFS storage domain the engine should let the user specify exact NFS version v4.0 and not just v4
1690155 - Disk migration progress bar not clearly visible and unusable.
1690475 - When a live storage migration fails, the auto generated snapshot does not get removed
1691562 - Cluster level changes are not increasing VMs generation numbers and so a new OVF_STORE content is not copied to the shared storage
1692592 - "Enable menu to select boot device shows 10 device listed with cdrom at 10th slot but when selecting 10 option the VM took 1 as option and boot with disk
1693628 - Engine generates too many updates to vm_dynamic table due to the session change
1693813 - Do not change DC level if there are VMs running/paused with older CL.
1695026 - Failure in creating snapshots during "Live Storage Migration" can result in a nonexistent snapshot
1695635 - [RFE] Improve Host Drop-down menu in different Dialogs (i.e. Alphabetical sort of Hosts in Remove|New StorageDomains)
1696245 - [RFE] Allow full customization while cloning a VM
1696669 - Build bouncycastle for RHV 4.4 RHEL 8
1696676 - Build ebay-cors-filter for RHV 4.4 RHEL 8
1698009 - Build openstack-java-sdk for RHV 4.4 RHEL 8
1698102 - Print a warning message to engine-setup, which highlights that other clusters than the Default one are not modified to use ovirt-provider-ovn as the default network provider
1700021 - [RFE] engine-setup should warn and prompt if ca.pem is missing but other generated pki files exist
1700036 - [RFE] Add RedFish API for host power management for RHEV
1700319 - VM is going to pause state with "storage I/O  error".
1700338 - [RFE] Alternate method to configure the email Event Notifier for a user in RHV through API (instead of  RHV GUI)
1700725 - [scale] RHV-M runs out of memory due to to much data reported by the guest agent
1700867 - Build makeself for RHV 4.4 RHEL 8
1701476 - Build unboundid-ldapsdk for RHV 4.4 RHEL 8
1701491 - Build RHV-M 4.4 - RHEL 8
1701522 - Build ovirt-imageio-proxy for RHV 4.4 / RHEL 8
1701528 - Build / Tag python-ovsdbapp for RHV 4.4 RHEL 8
1701530 - Build / Tag ovirt-cockpit-sso for RHV 4.4 RHEL 8
1701531 - Build / Tag ovirt-engine-api-explorer for RHV 4.4 RHEL 8
1701533 - Build / Tag ovirt-engine-dwh for RHV 4.4 / RHEL 8
1701538 - Build / Tag vdsm-jsonrpc-java for RHV 4.4 RHEL 8
1701544 - Build rhvm-dependencies for RHV 4.4 RHEL 8
1702310 - Build / Tag ovirt-engine-ui-extensions for RHV 4.4 RHEL 8
1702312 - Build ovirt-log-collector for RHV 4.4 RHEL 8
1703112 - PCI address of NICs are not stored in the database after a hotplug of passthrough NIC resulting in change of network device name in VM after a reboot
1703428 - VMs migrated from KVM to RHV show warning 'The latest guest agent needs to be installed and running on the guest'
1707225 - [cinderlib] Cinderlib DB is missing a backup and restore option
1708624 - Build rhvm-setup-plugins for RHV 4.4 - RHEL 8
1710491 - No EVENT_ID is generated in /var/log/ovirt-engine/engine.log when VM is rebooted from OS level itself.
1711006 - Metrics installation fails during the execution of playbook ovirt-metrics-store-installation if the environment is not having DHCP
1712255 - Drop 4.1 datacenter/cluster level
1712746 - [RFE] Ignition support for ovirt vms
1712890 - engine-setup should check for snapshots in unsupported CL
1714528 - Missing IDs on cluster upgrade buttons
1714633 - Using more than one asterisk in the search string is not working when searching for users.
1714834 - Cannot disable SCSI passthrough using API
1715725 - Sending credentials in query string logs them in ovirt-request-logs
1716590 - [RFE][UX] Make Cluster-wide "Custom serial number policy" value visible at VM level
1718818 - [RFE] Enhance local disk passthrough
1720686 - Tag ovirt-scheduler-proxy for RHV 4.4 RHEL 8
1720694 - Build ovirt-engine-extension-aaa-jdbc for RHV 4.4 RHEL 8
1720795 - New guest tools are available mark in case of guest tool located on Data Domain
1724959 - RHV recommends reporting issues to GitHub rather than access.redhat.com (ovirt->RHV rebrand glitch?)
1727025 - NPE in DestroyImage endAction during live merge leaving a task in DB for hours causing operations depending on host clean tasks to fail as Deactivate host/StopSPM/deactivate SD
1728472 - Engine reports network out of sync due to ipv6 default gateway via ND RA on a non default route network.
1729511 - engine-setup fails to upgrade to 4.3 with Unicode characters in CA subject
1729811 - [scale] updatevmdynamic broken if too many users logged in - psql ERROR: value too long for type character varying(255)
1730264 - VMs will fail to start if the vnic profile attached is having port mirroring enabled and have name greater than 15 characters
1730436 - Snapshot creation was successful, but snapshot remains locked
1731212 - RHV 4.4 landing page does not show login or allow scrolling.
1731590 - Cannot preview snapshot, it fails and VM remains locked.
1733031 - [RFE] Add warning when importing data domains to newer DC that may trigger SD format upgrade
1733529 - Consume python-ovsdbapp dependencies from OSP in RHEL 8 RHV 4.4
1733843 - Export to OVA fails if VM is running on the Host doing the export
1734839 - Unable to start guests in our Power9 cluster without running in headless mode.
1737234 - Attach a non-existent ISO to vm by the API return 201 and marks the Attach CD checkbox as ON
1737684 - Engine deletes the leaf volume when SnapshotVDSCommand timed out without checking if the  volume is still used by the VM
1740978 - [RFE] Warn or Block importing VMs/Templates from unsupported compatibility levels.
1741102 - host activation causes RHHI nodes to lose the quorum
1741271 - Move/Copy disk are blocked if there is less space in source SD than the size of the disk
1741625 - VM fails to be re-started with error: Failed to acquire lock: No space left on device
1743690 - Commit and Undo buttons active when no snapshot selected
1744557 - RHV 4.3 throws an exception when trying to access VMs which have snapshots from unsupported compatibility levels
1745384 - [IPv6 Static] Engine should allow updating network's static ipv6gateway
1745504 - Tag rhv-log-collector-analyzer for RHV 4.4 RHEL 8
1746272 - [BREW BUILD ENABLER] Build the oVirt Ansible roles for RHV 4.4.0
1746430 - [Rebase] Rebase v2v-conversion-host for RHV 4.4 Engine
1746877 - [Metrics] Rebase bug - for the 4.4 release on EL8
1747772 - Extra white space at the top of webadmin dialogs
1749284 - Change the Snapshot operation to be asynchronous
1749944 - teardownImage attempts to deactivate in-use LV's rendering the VM disk image/volumes in locked state.
1750212 - MERGE_STATUS fails with 'Invalid UUID string: mapper' when Direct LUN that already exists is hot-plugged
1750348 - [Tracking] rhvm-branding-rhv for RHV 4.4
1750357 - [Tracking] ovirt-web-ui for RHV 4.4
1750371 - [Tracking] ovirt-engine-ui-extensions for RHV 4.4
1750482 - From  VM Portal, users cannot create Operating System Windows VM.
1751215 - Unable to change Graphical Console of HE VM.
1751268 - add links to Insights to landing page
1751423 - Improve description of shared memory statistics and remove unimplemented memory metrics from API
1752890 - Build / Tag ovirt-engine-extension-aaa-ldap for RHV 4.4 RHEL 8
1752995 - [RFE] Need to be able to set default console option
1753629 - Build / Tag ovirt-engine-extension-aaa-misc for RHV 4.4 RHEL 8
1753661 - Build / Tag ovirt-engine-extension-logger-log4j got RHV 4.4 / RHEl 8
1753664 - Build ovirt-fast-forward-upgrade for RHV 4.4 /RHEL 8 support
1754363 - [Scale] Engine generates excessive amount of dns configuration related sql queries
1754490 - RHV Manager cannot start on EAP 7.2.4
1755412 - Setting "oreg_url: registry.redhat.io" fails with error
1758048 - clone(as thin) VM from template or create snapshot fails with 'Requested capacity 1073741824 < parent capacity 3221225472 (volume:1211)'
1758289 - [Warn] Duplicate chassis entries in southbound database if the host is down while removing the host from Manager
1762281 - Import of OVA created from template fails with java.lang.NullPointerException
1763992 - [RFE] Show "Open Console" as the main option in the VM actions menu
1764289 - Document details how each fence agent can be configured in RESTAPI
1764791 - CVE-2019-17195 nimbus-jose-jwt: Uncaught exceptions while parsing a JWT
1764932 - [BREW BUILD ENABLER] Build the ansible-runner-service for RHV 4.4
1764943 - Create Snapshot does not proceed beyond CreateVolume
1764959 - Apache is configured to offer TRACE method (security)
1765660 - CVE-2017-18635 novnc: XSS vulnerability via the messages propagated to the status field
1767319 - [RFE] forbid updating mac pool that contains ranges overlapping with any mac range in the system
1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
1768707 - Cannot set or update iscsi portal group tag when editing storage connection via API
1768844 - RHEL Advanced virtualization module streams support
1769463 - [Scale] Slow performance for api/clusters when many networks devices are present
1770237 - Cannot assign a vNIC profile for VM instance profile.
1771793 - VM Portal crashes in what appears to be a permission related problem.
1773313 - RHV Metric store installation fails with error: "You need to install \"jmespath\" prior to running json_query filter"
1777954 - VM Templates greater then 101 quantity are not listed/reported in RHV-M Webadmin UI.
1779580 - drop rhvm-doc package
1781001 - CVE-2019-19336 ovirt-engine: response_type parameter allows reflected XSS
1782236 - Windows Update (the drivers) enablement
1782279 - Warning message for low space is not received on Imported Storage domain
1782882 - qemu-kvm: kvm_init_vcpu failed: Function not implemented
1784049 - Rhel6 guest with cluster default q35 chipset causes kernel panic
1784385 - Still requiring rhvm-doc in rhvm-setup-plugins
1785750 - [RFE] Ability to change default VM action (Suspend) in the VM Portal.
1788424 - Importing a VM having direct LUN attached using virtio driver is failing with error "VirtIO-SCSI is disabled for the VM"
1796809 - Build apache-sshd for RHV 4.4 RHEL 8
1796811 - Remove bundled apache-sshd library
1796815 - Build snmp4j for RHV 4.4 RHEL 8
1796817 - Remove bundled snmp4j library
1797316 - Snapshot creation from VM fails on second snapshot and afterwords
1797500 - Add disk operation failed to complete.
1798114 - Build apache-commons-digester for RHV 4.4 RHEL 8
1798117 - Build apache-commons-configuration for RHV 4.4 RHEL 8
1798120 - Build apache-commons-jexl for RHV 4.4 RHEL 8
1798127 - Build apache-commons-collections4 for RHV 4.4 RHEL 8
1798137 - Build apache-commons-vfs for RHV 4.4 RHEL 8
1799171 - Build ws-commons-util for RHV 4.4 RHEL 8
1799204 - Build xmlrpc for RHV 4.4 RHEL 8
1801149 - CVE-2019-13990 libquartz: XXE attacks via job description
1801709 - Disable activation of the host while Enroll certificate flow is still in progress
1803597 - rhv-image-discrepancies should skip storage domains in maintenance mode and ISO/Export
1805669 - change requirement on rhvm package from spice-client-msi to spice-client-win
1806276 - [HE] ovirt-provider-ovn is non-functional on 4.3.9 Hosted-Engine
1807047 - Build m2crypto for RHV 4.4 RHEL 8
1807860 - [RFE] Allow resource allocation options to be customized
1808096 - Uploading ISOs causes "Uncaught exception occurred. Please try reloading the page. Details: (TypeError) : a.n is null"
1808126 - host_service.install() does not work with deploy_hosted_engine as True.
1809040 - [CNV&RHV] let the user know that token is not valid anymore
1809052 - [CNV&RHV] ovirt-engine log file spammed by failed timers ( approx 3-5 messages/sec )
1809875 - rhv-image-discrepancies only compares images on the last DC
1809877 - rhv-image-discrepancies sends dump-volume-chains with parameter that is ignored
1810893 - mountOptions is ignored for "import storage domain" from GUI
1811865 - [Scale] Host Monitoring generates excessive amount of qos related sql queries
1811869 - [Scale] Webadmin\REST for host interface list response time is too long because of excessive amount of qos related sql queries
1812875 - Unable to create VMs  when french Language is selected  for the rhvm gui.
1813305 - Engine updating SLA policies of VMs continuously in  an environment which is not having any QOS configured
1813344 - CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload
1814197 - [CNV&RHV] when provider is remover DC is left behind and active
1814215 - [CNV&RHV] Adding new provider to engine fails after succesfull test
1816017 - Build log4j12 for RHV 4.4 EL8
1816643 - [CNV&RHV] VM created in CNV not visible in RHV
1816654 - [CNV&RHV] adding provider with already created vm failed
1816693 - [CNV&RHV] CNV VM failed to restart even if 1st dialog looks fine
1816739 - [CNV&RHV] CNV VM updated form CNV side doesn't update vm properties over on RHV side
1817467 - [Tracking] Migration path between RHV 4.3 and 4.4
1818745 - rhv-log-collector-analyzer 0.2.17 still requires pyhton2
1819201 - [CodeChange][i18n] oVirt 4.4 rhv branding - translation update
1819248 - Cannot upgrade host after engine setup
1819514 - Failed to register 4.4 host to the latest engine (4.4.0-0.29.master.el8ev)
1819960 - NPE on ImportVmTemplateFromConfigurationCommand when creating VM from ovf_data
1820621 - Build apache-commons-compress for RHV 4.4 EL8
1820638 - Build apache-commons-jxpath for RHV 4.4 EL8
1821164 - Failed snapshot creation can cause data corruption of other VMs
1821930 - Enable only TLSv1.2+ protocol for SPICE on EL7 hosts
1824095 - VM portal shows only error
1825793 - RHV branding is missing after upgrade from 4.3
1826248 - [4.4][ovirt-cockpit-sso] Compatibility issues with python3
1826437 - The console client resources page return HTTP code 500
1826801 - [CNV&RHV] update of memory on cnv side does not propagate to rhv
1826855 - [cnv&rhv] update of cpu on cnv side causing expetion in engine.log
1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
1828669 - After SPM select the engine lost communication to all hosts until restarted [improved logging]
1828736 - [CNV&RHV] cnv template is not propagated to rhv
1829189 - engine-setup httpd ssl configuration conflicts with Red Hat Insights
1829656 - Failed to register 4.3 host to 4.4 engine with 4.3 cluster (4.4.0-0.33.master.el8ev)
1829830 - vhost custom properties does not accept '-'
1832161 - rhv-log-collector-analyzer fails with UnicodeDecodeError on RHEL8
1834523 - Edit VM -> Enable Smartcard sharing does not stick when VM is running
1838493 - Live snapshot made with freeze in the engine will cause the FS to be frozen
1841495 - Upgrade openstack-java-sdk to 3.2.9
1842495 - high cpu usage after entering wrong search pattern in RHVM
1844270 - [vGPU] nodisplay option for mdev broken since mdev scheduling unit
1844855 - Missing images (favicon.ico, banner logo) and missing brand.css file on VM portal d/s installation
1845473 - Exporting an OVA file from a VM results in its ovf file having a format of RAW when the disk is COW
1847420 - CVE-2020-10775 ovirt-engine: Redirect to arbitrary URL allows for phishing
1850004 - CVE-2020-11023 jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution
1853444 - [CodeChange][i18n] oVirt 4.4 rhv branding - translation update (July-2020)
1854563 - [4.4 downstream only][RFE] Include a link to grafana on front page

6. Package List:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:
ansible-runner-1.4.5-1.el8ar.src.rpm
ansible-runner-service-1.0.2-1.el8ev.src.rpm
apache-commons-collections4-4.4-1.el8ev.src.rpm
apache-commons-compress-1.18-1.el8ev.src.rpm
apache-commons-configuration-1.10-1.el8ev.src.rpm
apache-commons-jexl-2.1.1-1.el8ev.src.rpm
apache-commons-jxpath-1.3-29.el8ev.src.rpm
apache-commons-vfs-2.4.1-1.el8ev.src.rpm
apache-sshd-2.5.1-1.el8ev.src.rpm
ebay-cors-filter-1.0.1-4.el8ev.src.rpm
ed25519-java-0.3.0-1.el8ev.src.rpm
engine-db-query-1.6.1-1.el8ev.src.rpm
java-client-kubevirt-0.5.0-1.el8ev.src.rpm
log4j12-1.2.17-22.el8ev.src.rpm
m2crypto-0.35.2-5.el8ev.src.rpm
makeself-2.4.0-4.el8ev.src.rpm
novnc-1.1.0-1.el8ost.src.rpm
openstack-java-sdk-3.2.9-1.el8ev.src.rpm
ovirt-cockpit-sso-0.1.4-1.el8ev.src.rpm
ovirt-engine-4.4.1.8-0.7.el8ev.src.rpm
ovirt-engine-api-explorer-0.0.6-1.el8ev.src.rpm
ovirt-engine-dwh-4.4.1.2-1.el8ev.src.rpm
ovirt-engine-extension-aaa-jdbc-1.2.0-1.el8ev.src.rpm
ovirt-engine-extension-aaa-ldap-1.4.0-1.el8ev.src.rpm
ovirt-engine-extension-aaa-misc-1.1.0-1.el8ev.src.rpm
ovirt-engine-extension-logger-log4j-1.1.0-1.el8ev.src.rpm
ovirt-engine-extensions-api-1.0.1-1.el8ev.src.rpm
ovirt-engine-metrics-1.4.1.1-1.el8ev.src.rpm
ovirt-engine-ui-extensions-1.2.2-1.el8ev.src.rpm
ovirt-fast-forward-upgrade-1.1.6-0.el8ev.src.rpm
ovirt-log-collector-4.4.2-1.el8ev.src.rpm
ovirt-scheduler-proxy-0.1.9-1.el8ev.src.rpm
ovirt-web-ui-1.6.3-1.el8ev.src.rpm
python-aniso8601-0.82-4.el8ost.src.rpm
python-flask-1.0.2-2.el8ost.src.rpm
python-flask-restful-0.3.6-8.el8ost.src.rpm
python-netaddr-0.7.19-8.1.el8ost.src.rpm
python-notario-0.0.16-2.el8cp.src.rpm
python-ovsdbapp-0.17.1-0.20191216120142.206cf14.el8ost.src.rpm
python-pbr-5.1.2-2.el8ost.src.rpm
python-six-1.12.0-1.el8ost.src.rpm
python-websocket-client-0.54.0-1.el8ost.src.rpm
python-werkzeug-0.16.0-1.el8ost.src.rpm
rhv-log-collector-analyzer-1.0.2-1.el8ev.src.rpm
rhvm-branding-rhv-4.4.4-1.el8ev.src.rpm
rhvm-dependencies-4.4.0-1.el8ev.src.rpm
rhvm-setup-plugins-4.4.2-1.el8ev.src.rpm
snmp4j-2.4.1-1.el8ev.src.rpm
unboundid-ldapsdk-4.0.14-1.el8ev.src.rpm
vdsm-jsonrpc-java-1.5.4-1.el8ev.src.rpm
ws-commons-util-1.0.2-1.el8ev.src.rpm
xmlrpc-3.1.3-1.el8ev.src.rpm

noarch:
ansible-runner-1.4.5-1.el8ar.noarch.rpm
ansible-runner-service-1.0.2-1.el8ev.noarch.rpm
apache-commons-collections4-4.4-1.el8ev.noarch.rpm
apache-commons-collections4-javadoc-4.4-1.el8ev.noarch.rpm
apache-commons-compress-1.18-1.el8ev.noarch.rpm
apache-commons-compress-javadoc-1.18-1.el8ev.noarch.rpm
apache-commons-configuration-1.10-1.el8ev.noarch.rpm
apache-commons-jexl-2.1.1-1.el8ev.noarch.rpm
apache-commons-jexl-javadoc-2.1.1-1.el8ev.noarch.rpm
apache-commons-jxpath-1.3-29.el8ev.noarch.rpm
apache-commons-jxpath-javadoc-1.3-29.el8ev.noarch.rpm
apache-commons-vfs-2.4.1-1.el8ev.noarch.rpm
apache-commons-vfs-ant-2.4.1-1.el8ev.noarch.rpm
apache-commons-vfs-examples-2.4.1-1.el8ev.noarch.rpm
apache-commons-vfs-javadoc-2.4.1-1.el8ev.noarch.rpm
apache-sshd-2.5.1-1.el8ev.noarch.rpm
apache-sshd-javadoc-2.5.1-1.el8ev.noarch.rpm
ebay-cors-filter-1.0.1-4.el8ev.noarch.rpm
ed25519-java-0.3.0-1.el8ev.noarch.rpm
ed25519-java-javadoc-0.3.0-1.el8ev.noarch.rpm
engine-db-query-1.6.1-1.el8ev.noarch.rpm
java-client-kubevirt-0.5.0-1.el8ev.noarch.rpm
log4j12-1.2.17-22.el8ev.noarch.rpm
log4j12-javadoc-1.2.17-22.el8ev.noarch.rpm
makeself-2.4.0-4.el8ev.noarch.rpm
novnc-1.1.0-1.el8ost.noarch.rpm
openstack-java-ceilometer-client-3.2.9-1.el8ev.noarch.rpm
openstack-java-ceilometer-model-3.2.9-1.el8ev.noarch.rpm
openstack-java-cinder-client-3.2.9-1.el8ev.noarch.rpm
openstack-java-cinder-model-3.2.9-1.el8ev.noarch.rpm
openstack-java-client-3.2.9-1.el8ev.noarch.rpm
openstack-java-glance-client-3.2.9-1.el8ev.noarch.rpm
openstack-java-glance-model-3.2.9-1.el8ev.noarch.rpm
openstack-java-heat-client-3.2.9-1.el8ev.noarch.rpm
openstack-java-heat-model-3.2.9-1.el8ev.noarch.rpm
openstack-java-javadoc-3.2.9-1.el8ev.noarch.rpm
openstack-java-keystone-client-3.2.9-1.el8ev.noarch.rpm
openstack-java-keystone-model-3.2.9-1.el8ev.noarch.rpm
openstack-java-nova-client-3.2.9-1.el8ev.noarch.rpm
openstack-java-nova-model-3.2.9-1.el8ev.noarch.rpm
openstack-java-quantum-client-3.2.9-1.el8ev.noarch.rpm
openstack-java-quantum-model-3.2.9-1.el8ev.noarch.rpm
openstack-java-resteasy-connector-3.2.9-1.el8ev.noarch.rpm
openstack-java-swift-client-3.2.9-1.el8ev.noarch.rpm
openstack-java-swift-model-3.2.9-1.el8ev.noarch.rpm
ovirt-cockpit-sso-0.1.4-1.el8ev.noarch.rpm
ovirt-engine-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-api-explorer-0.0.6-1.el8ev.noarch.rpm
ovirt-engine-backend-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-dwh-4.4.1.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.4.1.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.4.1.2-1.el8ev.noarch.rpm
ovirt-engine-extension-aaa-jdbc-1.2.0-1.el8ev.noarch.rpm
ovirt-engine-extension-aaa-ldap-1.4.0-1.el8ev.noarch.rpm
ovirt-engine-extension-aaa-ldap-setup-1.4.0-1.el8ev.noarch.rpm
ovirt-engine-extension-aaa-misc-1.1.0-1.el8ev.noarch.rpm
ovirt-engine-extension-logger-log4j-1.1.0-1.el8ev.noarch.rpm
ovirt-engine-extensions-api-1.0.1-1.el8ev.noarch.rpm
ovirt-engine-extensions-api-javadoc-1.0.1-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-metrics-1.4.1.1-1.el8ev.noarch.rpm
ovirt-engine-restapi-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-setup-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-setup-base-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-tools-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-ui-extensions-1.2.2-1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.4.1.8-0.7.el8ev.noarch.rpm
ovirt-fast-forward-upgrade-1.1.6-0.el8ev.noarch.rpm
ovirt-log-collector-4.4.2-1.el8ev.noarch.rpm
ovirt-scheduler-proxy-0.1.9-1.el8ev.noarch.rpm
ovirt-web-ui-1.6.3-1.el8ev.noarch.rpm
python-flask-doc-1.0.2-2.el8ost.noarch.rpm
python2-netaddr-0.7.19-8.1.el8ost.noarch.rpm
python2-pbr-5.1.2-2.el8ost.noarch.rpm
python2-six-1.12.0-1.el8ost.noarch.rpm
python3-aniso8601-0.82-4.el8ost.noarch.rpm
python3-ansible-runner-1.4.5-1.el8ar.noarch.rpm
python3-flask-1.0.2-2.el8ost.noarch.rpm
python3-flask-restful-0.3.6-8.el8ost.noarch.rpm
python3-netaddr-0.7.19-8.1.el8ost.noarch.rpm
python3-notario-0.0.16-2.el8cp.noarch.rpm
python3-ovirt-engine-lib-4.4.1.8-0.7.el8ev.noarch.rpm
python3-ovsdbapp-0.17.1-0.20191216120142.206cf14.el8ost.noarch.rpm
python3-pbr-5.1.2-2.el8ost.noarch.rpm
python3-six-1.12.0-1.el8ost.noarch.rpm
python3-websocket-client-0.54.0-1.el8ost.noarch.rpm
python3-werkzeug-0.16.0-1.el8ost.noarch.rpm
python3-werkzeug-doc-0.16.0-1.el8ost.noarch.rpm
rhv-log-collector-analyzer-1.0.2-1.el8ev.noarch.rpm
rhvm-4.4.1.8-0.7.el8ev.noarch.rpm
rhvm-branding-rhv-4.4.4-1.el8ev.noarch.rpm
rhvm-dependencies-4.4.0-1.el8ev.noarch.rpm
rhvm-setup-plugins-4.4.2-1.el8ev.noarch.rpm
snmp4j-2.4.1-1.el8ev.noarch.rpm
snmp4j-javadoc-2.4.1-1.el8ev.noarch.rpm
unboundid-ldapsdk-4.0.14-1.el8ev.noarch.rpm
unboundid-ldapsdk-javadoc-4.0.14-1.el8ev.noarch.rpm
vdsm-jsonrpc-java-1.5.4-1.el8ev.noarch.rpm
ws-commons-util-1.0.2-1.el8ev.noarch.rpm
ws-commons-util-javadoc-1.0.2-1.el8ev.noarch.rpm
xmlrpc-client-3.1.3-1.el8ev.noarch.rpm
xmlrpc-common-3.1.3-1.el8ev.noarch.rpm
xmlrpc-javadoc-3.1.3-1.el8ev.noarch.rpm
xmlrpc-server-3.1.3-1.el8ev.noarch.rpm

x86_64:
m2crypto-debugsource-0.35.2-5.el8ev.x86_64.rpm
python3-m2crypto-0.35.2-5.el8ev.x86_64.rpm
python3-m2crypto-debuginfo-0.35.2-5.el8ev.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-18635
https://access.redhat.com/security/cve/CVE-2019-8331
https://access.redhat.com/security/cve/CVE-2019-10086
https://access.redhat.com/security/cve/CVE-2019-13990
https://access.redhat.com/security/cve/CVE-2019-17195
https://access.redhat.com/security/cve/CVE-2019-19336
https://access.redhat.com/security/cve/CVE-2020-7598
https://access.redhat.com/security/cve/CVE-2020-10775
https://access.redhat.com/security/cve/CVE-2020-11022
https://access.redhat.com/security/cve/CVE-2020-11023
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html-single/technical_notes

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXylir9zjgjWX9erEAQii/A//bJm3u0+ul+LdQwttSJJ79OdVqcp3FktP
tdPj8AFbB6F9KkuX9FAQja0/2pgZAldB3Eyz57GYTxyDD1qeMqYSayGHCH01GWAn
u8uF90lcSz6YvgEPDh1mWhLYQMfdWT6IUuKOEHldt8TyHbc7dX3xCbsLDzNCxGbl
QuPSFPQBJaAXETSw42NGzdUzaM9zoQ0Mngj+Owcgw53YyBy3BSLAb5bKuijvkcLy
SVCAxxiQ89E+cnETKYIv4dOfqXGA5wLg68hDmUQyFcXHA9nQbJM9Q0s1fbZ2Wav1
oGGTqJDTgVElxrHB5pYJ6pu484ZgJealkBCrHA2OBsMJUadwitVvQLXFZF5OyN0N
f/vtZ1ua4mZADa61qfnlmVRiyISwmPPWIOImA3TIE5Q8Yl5ucCqtDjQPoJAbXsUl
Y22Bb5x7JyrN0nyOgwh6BGGK51CmOaP+xNuWD7osI24pnzdmPTZuJrZLePxgPgac
WWQNznzvokknva2ofvujAm+DEl+W7W3A8Vs9wkmUWYlaVC7GFLEkcvQjjHahZ7kh
dVJNoh70vpA+aJCMQHYK6MGtCSAWoqXkRTsHb3Stfm2vLLz6GYxY5OuvB7Z0ME1N
zCiFjBla5+3nKx5ab8Pola56T1wRULHL6zYN9GTsOzxjdJsKHXBVeV8OYcnoHiza
2TrKn2dtZwI=
=92Q3
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXyubA+NLKJtyKPYoAQjJcA/7BS5W3+k8uG/EY4Gn8aKFvWSpRnVjGbRa
Kb+f9Sp++6ByVQ4JZis2HqXYGCgTTPB4CXFB6h76KOcUvl/KNOBNSveGCEJ4wfb9
HtGFPrUmhbKxDKwQn4rYQRpKCNk/85ZqIBQmkSnTMkg58vZG0hHhoQEzoTV82JFp
ngeax+jl25mqaeWoSdDjCWg2eTyB1QpDKrmV7kkxYzjX7d6bTXAdl+ZcvzWKqO08
6SSX96ucZxRuH3uHfNXh6RSfiUi+Hh67Mw4CEma26Ujgq8C/kPIZcdA5np3TOA5I
28vHqEMW7USZhj6fukxOOwZNhmc/nddwyWgnuy6BmhGlrYS4++gUWiNvhUXQ14oR
jo2w0SSpmhNT4cK3XxTvITWX6B8iJv50BbEljxaWpcvgBV/O2QJ+AekFp66w+EaY
xInVYK9s3QmWBq7O3KBUoW4rjaLH55oWTbSOQzO/Jw1EPbk3KvAfn/BhlQzywI0G
PJuEWTWvyXU6N/j/uool7MdIiNPtHfY8xYytSXQVnzlijhYqvDMjWkI9xisf+4GJ
/JUaJgHwksAg8X+eUuJYGSZcRxIw8xIvW2BVVE9AyOakKSC5E5B+CczKt1cZkI40
jRnu6RAdgoeGJljWR/WyKJtlLgi4/QmHB/4VU00QHdbzhbEoyo7hh/FyyfJpNOHL
DwRlAIMA3no=
=/od1
-----END PGP SIGNATURE-----