Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3344 qemu-kvm-ma security update 30 September 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: qemu-kvm-ma Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-14364 CVE-2019-20382 CVE-2018-15746 Reference: ESB-2020.3189 ESB-2020.3048 ESB-2020.2899 ESB-2020.2656 ESB-2019.3067 ESB-2018.3883 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:4078 https://access.redhat.com/errata/RHSA-2020:4055 https://access.redhat.com/errata/RHSA-2020:4054 https://access.redhat.com/errata/RHSA-2020:4053 https://access.redhat.com/errata/RHSA-2020:4052 https://access.redhat.com/errata/RHSA-2020:4051 https://access.redhat.com/errata/RHSA-2020:4050 https://access.redhat.com/errata/RHSA-2020:4048 https://access.redhat.com/errata/RHSA-2020:4047 https://access.redhat.com/errata/RHSA-2020:3907 https://access.redhat.com/errata/RHSA-2020:3906 Comment: This bulletin contains eleven (11) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: qemu-kvm-ma security update Advisory ID: RHSA-2020:4078-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4078 Issue date: 2020-09-29 CVE Names: CVE-2020-14364 ===================================================================== 1. Summary: An update for qemu-kvm-ma is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x Red Hat Enterprise Linux Server Optional (v. 7) - ppc64 3. Description: Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-ma packages provide the user-space component for running virtual machines that use KVM on the IBM z Systems, IBM Power, and 64-bit ARM architectures. Security Fix(es): * QEMU: usb: out-of-bounds r/w access issue while processing usb packets (CVE-2020-14364) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets 6. Package List: Red Hat Enterprise Linux Server (v. 7): Source: qemu-kvm-ma-2.12.0-48.el7_9.1.src.rpm ppc64: qemu-img-ma-2.12.0-48.el7_9.1.ppc64.rpm qemu-kvm-ma-debuginfo-2.12.0-48.el7_9.1.ppc64.rpm ppc64le: qemu-img-ma-2.12.0-48.el7_9.1.ppc64le.rpm qemu-kvm-common-ma-2.12.0-48.el7_9.1.ppc64le.rpm qemu-kvm-ma-2.12.0-48.el7_9.1.ppc64le.rpm qemu-kvm-ma-debuginfo-2.12.0-48.el7_9.1.ppc64le.rpm qemu-kvm-tools-ma-2.12.0-48.el7_9.1.ppc64le.rpm s390x: qemu-img-ma-2.12.0-48.el7_9.1.s390x.rpm qemu-kvm-common-ma-2.12.0-48.el7_9.1.s390x.rpm qemu-kvm-ma-2.12.0-48.el7_9.1.s390x.rpm qemu-kvm-ma-debuginfo-2.12.0-48.el7_9.1.s390x.rpm qemu-kvm-tools-ma-2.12.0-48.el7_9.1.s390x.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: qemu-kvm-common-ma-2.12.0-48.el7_9.1.ppc64.rpm qemu-kvm-ma-2.12.0-48.el7_9.1.ppc64.rpm qemu-kvm-ma-debuginfo-2.12.0-48.el7_9.1.ppc64.rpm qemu-kvm-tools-ma-2.12.0-48.el7_9.1.ppc64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-14364 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3OyM9zjgjWX9erEAQhq2g//SbOVBkolkAk3NR0OIEIlAipRI7Bk4PvL CgRuOvp5AJYlS5mSF3BKhDCZVucJ6zCrlXnO9eDt7bcN+14YxVXjYjZcGI2Gv0d7 G9WggQG1Lt5OLE36rIhMz7SMrZEzu0g5gBGFGK93LL1rs5snWHEGG3g86iMqMIic IW+mLL9z0tVkow0lfsPbQs05nldkEA9nDWFdVV3ozj42r86VpGKBr1QdyGQv+sXA 1S2umdiI8FMVlD4YupBR0jRCP3EUnTZbTUjF20zBgBHxdZ3PVqr8obEXEaEAZ6Wv kuyDldkoMRcT2itPL1oAKNeufbcf+eXhczwBPKO+3vn7lmNRSdasX9PLfkRSmJuw sDIAtPBJCBDXiUWWcvpzsmhfUimp4zXOPLbAKOd8P9N1BC29fGGj4EH1N46CeduP pE4aHXJTsebmkhClDlBU7v4OrpPy2195bQelMnty7xyV+GLRSRFDLDoi8YochlYP islUyjLObWixg26XCOz7NtcCBCQbqiroWmcVecNxsy6cask9b757l0vKSnDRPrO4 1glsFgmIyVRVAGxWx/KpKBAwdocyc4plgnPusvxnZXnoVo0CZ7I+l6+0e/7gof/4 HTBp2lPz/1hHKVmnIvoBFOGPegDFPToYLjQYE5QUPX9pyHu1dNC6fdvOyUEd5qcy I7HiS1F7Clo= =htH1 - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: qemu-kvm security update Advisory ID: RHSA-2020:4055-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4055 Issue date: 2020-09-29 CVE Names: CVE-2020-14364 ===================================================================== 1. Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 6.6 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 6.6) - x86_64 3. Description: Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es): * QEMU: usb: out-of-bounds r/w access issue while processing usb packets (CVE-2020-14364) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets 6. Package List: Red Hat Enterprise Linux Server AUS (v. 6.6): Source: qemu-kvm-0.12.1.2-2.448.el6_6.9.src.rpm x86_64: qemu-guest-agent-0.12.1.2-2.448.el6_6.9.x86_64.rpm qemu-img-0.12.1.2-2.448.el6_6.9.x86_64.rpm qemu-kvm-0.12.1.2-2.448.el6_6.9.x86_64.rpm qemu-kvm-debuginfo-0.12.1.2-2.448.el6_6.9.x86_64.rpm qemu-kvm-tools-0.12.1.2-2.448.el6_6.9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-14364 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3LwHtzjgjWX9erEAQhVOw//V/e+d+KcgfT1OL0YV9WEEF9lPckL1AJZ pBa46SokohaZykjy4VcIUEwgo1kTZgcbqsndsz4taT5MtknGolssfCyw0gx8a08r 6cwnFV8aKMyVDQx0WJDrgLXz1x36LrhDj+RY//CDKApFd4RYBzS4TMPbmWfYf+hH m/VZaOm8c8imyWkKIDLXHjVTLNCc6qG0KbyOjbngeGMPgELQ4QQ0wFZVZAz5hRhr KjW3GYuadPfGBWPamjyUzfNKITZ5QOiRm8vAJivN5KOnJLFWRNjyneht7uSX+PA1 ZFZfjInGsf28dlvQWsUCLcOC3wrjcOYtDDlOn2yO4IOLxiVQi0AbDMnMgNQy+009 cq959yfzHR1VRjJqytTbQDMYS7c/y1jtfu50Qgo6V9YeejREMgiMCRVW2aw+0ihF nnZToCJRUtRMDSHVIW12V39zpYUqzSmepf+Kh9Wbkl84zmsoXJzUwTyXTdMB+C3I PUIKZOpdHsGYpnQY4YjgNwuJpi71jxGGubZQzheIK90A/p+OR3ztg7GrBL8PTarV RWNpBldsS+x7rJ0rNEtsVuvfS+S3dxIGKrUOnOf34Hu12EAjEBGHFPBWKOFP2VcN XTXVse+OjV8HA26oUQMcpTcFMx8bC4OwaXxaTfbkfIAM7TY+XcP0NrCBbdDYfAJb Z57ISWcjRlo= =sHqz - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: qemu-kvm security update Advisory ID: RHSA-2020:4054-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4054 Issue date: 2020-09-29 CVE Names: CVE-2020-14364 ===================================================================== 1. Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 6.5 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 6.5) - x86_64 3. Description: Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es): * QEMU: usb: out-of-bounds r/w access issue while processing usb packets (CVE-2020-14364) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets 6. Package List: Red Hat Enterprise Linux Server AUS (v. 6.5): Source: qemu-kvm-0.12.1.2-2.415.el6_5.21.src.rpm x86_64: qemu-guest-agent-0.12.1.2-2.415.el6_5.21.x86_64.rpm qemu-img-0.12.1.2-2.415.el6_5.21.x86_64.rpm qemu-kvm-0.12.1.2-2.415.el6_5.21.x86_64.rpm qemu-kvm-debuginfo-0.12.1.2-2.415.el6_5.21.x86_64.rpm qemu-kvm-tools-0.12.1.2-2.415.el6_5.21.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-14364 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3Lv5tzjgjWX9erEAQiYwhAApngzGEkX6Nc/ULx2fIWNJ7e0RQbEZsop b3kfQ7owBbSl+QRN/zR4Z/ztBi5UygrauxcHtHEeVVuCZ2ILIVu7TePF3ypvRMKa Wf/U/cizbUtbsUOybzdJKU+HAYuKTwmQ/4ywP0ER6jLOr0uxTp6tkQtPIW4H46hp jKfyDtJEI55JAII3g4YUuoanwSNA4L9iwLmZx2jfsJ1FGPmeXDRmkLyGtvndcsyk iEgvAqQQPe5w88Ptx3pohIi6Df7fWsfIhIP1LQE31dAjNc+mbl0RQ0cFpHlcE/5F qGcGr2BMBdeHQVNOEG6Img19qckFklym21YHPNp68z2WOkHqV5tfzX/9uGHgIC1D z86SlPt7PDwJ5cl6vQ2i4cI8wk3ojpkt/sAkTltGymSMtNC+3q/3J0Jwj6yqoBXT g++SXnO3AeAZQlr2XxRfkvsGu066g2XnWV7lXWnZM3/KdfOZzt34bd1OOxMTtpqo 91QpqW2QOwJBwkreCyqZ/SnvcESCknhBoctFQzI367tx+/nm2LjRArn0xFZsFP1+ P7zM5yzGMHcMwYq0OT4tGBKsqecLCZnxGUnouPDz4sEFUSQPGYrag/Y5vKJx3Xcg b4jJXtZ/Yebl+PBCqheK2fm6hW4FxcPeqEOsJcJyhxWHuQN2BVjzlQY0MjSilD54 nAFaGLRrvQM= =S1gF - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - ----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: qemu-kvm security update Advisory ID: RHSA-2020:4053-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4053 Issue date: 2020-09-29 CVE Names: CVE-2020-14364 ===================================================================== 1. Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.7) - x86_64 Red Hat Enterprise Linux Server EUS (v. 7.7) - x86_64 3. Description: Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es): * QEMU: usb: out-of-bounds r/w access issue while processing usb packets (CVE-2020-14364) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets 6. Package List: Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.7): Source: qemu-kvm-1.5.3-167.el7_7.7.src.rpm x86_64: qemu-img-1.5.3-167.el7_7.7.x86_64.rpm qemu-kvm-1.5.3-167.el7_7.7.x86_64.rpm qemu-kvm-common-1.5.3-167.el7_7.7.x86_64.rpm qemu-kvm-debuginfo-1.5.3-167.el7_7.7.x86_64.rpm qemu-kvm-tools-1.5.3-167.el7_7.7.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 7.7): Source: qemu-kvm-1.5.3-167.el7_7.7.src.rpm x86_64: qemu-img-1.5.3-167.el7_7.7.x86_64.rpm qemu-kvm-1.5.3-167.el7_7.7.x86_64.rpm qemu-kvm-common-1.5.3-167.el7_7.7.x86_64.rpm qemu-kvm-debuginfo-1.5.3-167.el7_7.7.x86_64.rpm qemu-kvm-tools-1.5.3-167.el7_7.7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-14364 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3NTCtzjgjWX9erEAQht1A//YHMvIDMzSbQDMN+dImOj7rS4x/HF5sKx fuN+3rZvuNMyLeL6tz9mygsA2GbfdlcL6PQSqrttzfS5DIflOrxvD3Y8SK8aJDxI IALeONd5U6p1xnLEBWk6cKvkcZvNjzpmee3P431vRKUiPyGjUruvr91FbMTewncM 4+Lu1GIN8PDpQ+zMFqBKfNgbuH5oYRfDgu8K684BvANBDznRjDEDQRsNhHhWMa9+ gNp57gW7+5oEi9l5Wv+KciCyvcO8dKke6lUon9+f8Q/F+sifpwozbiMVVMvheljg LdLBH7geKFjIxcQ+mMVNJ7RPM+ExsfqdudSse9aswJo78rSSEgRxWWb1ZIpn0svG QsRLL1LXacHmboiyzkWQ/tWO9mKR7GJkvyOGYNDX9CV1jD7S3j9IVgNhRqM3sIXP U75tnlRTzY0DpZD+AqS/bJwc967KTskVER2MPsXKWQH/AuqD8xINVpQC9rCg83R1 FdJVHOvSJj9k3Kz13p4p9VSLsmjIh9V4iVDRZii6fvmoShPB2FBYUQh/bd0JdC30 WWC/xa99A0vMhov+eUW6vTiTmzPN8ffAXOHKePPW6skvlnXTmHsbOyOJO2uH6t7T fHxpIA9GJ06CDRVi1wWOq/ITW3iU7QyFG2LYwzMw8ZWREOAxqbe9gjzr9ekKzh2u 0XaWT0AvKqU= =a02r - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: qemu-kvm security update Advisory ID: RHSA-2020:4052-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4052 Issue date: 2020-09-29 CVE Names: CVE-2020-14364 ===================================================================== 1. Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.6) - x86_64 Red Hat Enterprise Linux Server EUS (v. 7.6) - x86_64 3. Description: Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es): * QEMU: usb: out-of-bounds r/w access issue while processing usb packets (CVE-2020-14364) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets 6. Package List: Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.6): Source: qemu-kvm-1.5.3-160.el7_6.8.src.rpm x86_64: qemu-img-1.5.3-160.el7_6.8.x86_64.rpm qemu-kvm-1.5.3-160.el7_6.8.x86_64.rpm qemu-kvm-common-1.5.3-160.el7_6.8.x86_64.rpm qemu-kvm-debuginfo-1.5.3-160.el7_6.8.x86_64.rpm qemu-kvm-tools-1.5.3-160.el7_6.8.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 7.6): Source: qemu-kvm-1.5.3-160.el7_6.8.src.rpm x86_64: qemu-img-1.5.3-160.el7_6.8.x86_64.rpm qemu-kvm-1.5.3-160.el7_6.8.x86_64.rpm qemu-kvm-common-1.5.3-160.el7_6.8.x86_64.rpm qemu-kvm-debuginfo-1.5.3-160.el7_6.8.x86_64.rpm qemu-kvm-tools-1.5.3-160.el7_6.8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-14364 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3NRZtzjgjWX9erEAQjmIg//UH7HeBSkE96gdYB8FEAJONFvw2PonCjH oxk4qJVUI+XA6IgxFVqFC7pPaTUGtUyHMdOVQBCkb0SuPw6DFAT84VAcX8vfykPW CTC2bo/VIvdQqwpNrJQQL4ZN49WI6HhrTJP+bzMleg32Dp1myqBi32dBtJBKAwwH k3x9Z4qU4L1IQQ2GURY+wu2sEyA93T9qhtGETvO/TQZ1I9iz5JfEca1edxs58EHx BIWJXtAL5C2/QdS5tC/XY7HpUdlOGuCgtwqFNwkgtOIwEwX1SpFTAqzu9d4bqo0M kdpnfRGu+OvTJ3AJjUjx8HiRZNYgNVp98ZkucYj/WLzTdP2rnkbBIu4Vv1AbID9U mIIaAwZsTh/CFdVekbMr/xBHgJtTQ/S9FZYP2K34VG1xBCtmFGxgJO5wScKhoLdx tk2mrAH86b6Ncs2Is2uvkZbs9nXALmvX0aK2zzC4r7922MugePfcGHlIifY+92uf Bpd2Nn9mLAIZyMDKd3xJN0SGTG55NHH2d0TXbz/Yu0SEu9Ie4D76mvaahGPA0fo4 6zImpdOiQSZgkb9DINfmxakUjcvRWre+6gNPZJS/YuirShyA89Ei7mOGfHirCiiB pb64+OdEfj0J64tN15eIJMY8paebu4Mrdf3BfKgRxnGiFV/8YnP0h1kyxvSbyjix xr5nNmktosI= =dTBV - -----END PGP SIGNATURE----- - ---------------------------------------------------------------------------- - ----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: qemu-kvm security update Advisory ID: RHSA-2020:4051-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4051 Issue date: 2020-09-29 CVE Names: CVE-2020-14364 ===================================================================== 1. Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.4) - x86_64 Red Hat Enterprise Linux Server E4S (v. 7.4) - ppc64le, x86_64 Red Hat Enterprise Linux Server TUS (v. 7.4) - x86_64 3. Description: Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es): * QEMU: usb: out-of-bounds r/w access issue while processing usb packets (CVE-2020-14364) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets 6. Package List: Red Hat Enterprise Linux Server AUS (v. 7.4): Source: qemu-kvm-1.5.3-141.el7_4.11.src.rpm x86_64: qemu-img-1.5.3-141.el7_4.11.x86_64.rpm qemu-kvm-1.5.3-141.el7_4.11.x86_64.rpm qemu-kvm-common-1.5.3-141.el7_4.11.x86_64.rpm qemu-kvm-debuginfo-1.5.3-141.el7_4.11.x86_64.rpm qemu-kvm-tools-1.5.3-141.el7_4.11.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.4): Source: qemu-kvm-1.5.3-141.el7_4.11.src.rpm ppc64le: qemu-img-1.5.3-141.el7_4.11.ppc64le.rpm qemu-kvm-debuginfo-1.5.3-141.el7_4.11.ppc64le.rpm x86_64: qemu-img-1.5.3-141.el7_4.11.x86_64.rpm qemu-kvm-1.5.3-141.el7_4.11.x86_64.rpm qemu-kvm-common-1.5.3-141.el7_4.11.x86_64.rpm qemu-kvm-debuginfo-1.5.3-141.el7_4.11.x86_64.rpm qemu-kvm-tools-1.5.3-141.el7_4.11.x86_64.rpm Red Hat Enterprise Linux Server TUS (v. 7.4): Source: qemu-kvm-1.5.3-141.el7_4.11.src.rpm x86_64: qemu-img-1.5.3-141.el7_4.11.x86_64.rpm qemu-kvm-1.5.3-141.el7_4.11.x86_64.rpm qemu-kvm-common-1.5.3-141.el7_4.11.x86_64.rpm qemu-kvm-debuginfo-1.5.3-141.el7_4.11.x86_64.rpm qemu-kvm-tools-1.5.3-141.el7_4.11.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-14364 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3L0H9zjgjWX9erEAQii3g/8Duqw0GvoFshzbPRUCeoR7lE9hgKnskXL EpM49d9SkJonxLYXgQJqlzeETsbonCFKe5RqxiFJWLWn/PguYL4TPxlLzEh93vaU SyM68LaST1dceUTtYpyiYpLfznSMTORgNNmwQ0OK6rNaL7gSBBidSn3Njd3dFdOZ ckgpXxFg4lP3uaxp+DspxKgDK/2Nhtnky9T7VJokriqC/6FJ5DPXMG0U0wyHe1Pn 5OGKYirbr0p4YGSTjn/pB1SiDfPWF3cslMkjbjELTwFSVUe1xEtB65GeOvUhexag 1sTclW+eyKb0yuGT6l12o00xt+lu/osmmOOUZsqbro29zXc4JxS4fujcv1658MqI L4CGA/k7EYdSocHw4K+YjnWqFs1fEyMA94XGFvVyg4aXaXZaUjrYMJaUnrhaOToT QqPokWT8El4K48n9BvWOvcli09P3asOgAttxH4tFy5dY6sk4LaZJ7/WC8ujqMhxP 2clYn/CA21BIw0nxE7MHH2zOSmWQrxvGbuH4Jc0nHhW8iAuyDOzay+EUhCxlEzb+ 2ZriDS+1kdHOglIGh+8WNgTDKHVCr+Pg5U96KXciohHPiMp0axcRy9jIL1qIBa9j 62yw7qRfhyGJxQenlwOa1i0/XpIDhuhc8C/2liZr0ROIfeqj3DGaR6D6F5fOySNx KAU17fSSnEE= =cgUg - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: qemu-kvm security update Advisory ID: RHSA-2020:4050-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4050 Issue date: 2020-09-29 CVE Names: CVE-2020-14364 ===================================================================== 1. Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.3 Advanced Update Support, Red Hat Enterprise Linux 7.3 Telco Extended Update Support, and Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.3) - x86_64 Red Hat Enterprise Linux Server E4S (v. 7.3) - ppc64le, x86_64 Red Hat Enterprise Linux Server TUS (v. 7.3) - x86_64 3. Description: Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es): * QEMU: usb: out-of-bounds r/w access issue while processing usb packets (CVE-2020-14364) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets 6. Package List: Red Hat Enterprise Linux Server AUS (v. 7.3): Source: qemu-kvm-1.5.3-126.el7_3.18.src.rpm x86_64: qemu-img-1.5.3-126.el7_3.18.x86_64.rpm qemu-kvm-1.5.3-126.el7_3.18.x86_64.rpm qemu-kvm-common-1.5.3-126.el7_3.18.x86_64.rpm qemu-kvm-debuginfo-1.5.3-126.el7_3.18.x86_64.rpm qemu-kvm-tools-1.5.3-126.el7_3.18.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.3): Source: qemu-kvm-1.5.3-126.el7_3.18.src.rpm ppc64le: qemu-img-1.5.3-126.el7_3.18.ppc64le.rpm qemu-kvm-debuginfo-1.5.3-126.el7_3.18.ppc64le.rpm x86_64: qemu-img-1.5.3-126.el7_3.18.x86_64.rpm qemu-kvm-1.5.3-126.el7_3.18.x86_64.rpm qemu-kvm-common-1.5.3-126.el7_3.18.x86_64.rpm qemu-kvm-debuginfo-1.5.3-126.el7_3.18.x86_64.rpm qemu-kvm-tools-1.5.3-126.el7_3.18.x86_64.rpm Red Hat Enterprise Linux Server TUS (v. 7.3): Source: qemu-kvm-1.5.3-126.el7_3.18.src.rpm x86_64: qemu-img-1.5.3-126.el7_3.18.x86_64.rpm qemu-kvm-1.5.3-126.el7_3.18.x86_64.rpm qemu-kvm-common-1.5.3-126.el7_3.18.x86_64.rpm qemu-kvm-debuginfo-1.5.3-126.el7_3.18.x86_64.rpm qemu-kvm-tools-1.5.3-126.el7_3.18.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-14364 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3Lz4tzjgjWX9erEAQiB9g/+LKFFACk/H/QjeLlGl7O5PvGVXUOMUIWr +ygKqPvvrQWebUUnw2lKZlmqotSDoYZGANltEGCpn9/2FZPl+Iiva9ZZCJPY0xit R1xghoCE/x+iUhK6aGSdcUjom3nRgzlL7lWUckgVJGLB7hvbTkkh38rSctuivnJv t7ujt5wo7W4DRl5ixX2UFFiFT0FCOmXzFTEWcWg+6f5xkd8dtn/fXjJzS0T42/eG qhFK8Z74OQK/P+ochQ3wmF8Lqbf8jCVNl+ImIl9Ya0RvisNwH22DyvHiV4T6iY/Q fjtXql3AuGJ8/xQ8pRdAtbFStWB5NeF7ost6nk/VEulFn58lynr4auxKdcW9xGJZ hWZZkKeaWpprBr7HOZFNYJ74oDDsQf+l6cnTOxCO/9MXebQUc85g/A9/L1dHtP2h CioR2NU+rMej2X7uQxDCtEdcm5zHb2rRC/GXGnQOhP4tSfs5OJWth1Clio2sjTLQ hGGO5LBA5Z5nM+C2fJ6aZIctA8t+vckLp0tAfO/r9HDv3EL3UtLco5qI87K4eEa6 HAr3MwhQe6Sl7sVmSP9j2TCvSpAUe+AskgVxSvZXXjgA8KiThVycEn+8E72iNz6Q s6SbX/K2FdhTtw4finnZNSYzRjuNWLQQ6LK67HhOGPMi3k9QJMYP3TMYIZ6BbzQv vZ4QbVk89PM= =wdu3 - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: qemu-kvm security update Advisory ID: RHSA-2020:4048-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4048 Issue date: 2020-09-29 CVE Names: CVE-2020-14364 ===================================================================== 1. Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.2) - x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 7.2) - x86_64 3. Description: Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es): * QEMU: usb: out-of-bounds r/w access issue while processing usb packets (CVE-2020-14364) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets 6. Package List: Red Hat Enterprise Linux Server AUS (v. 7.2): Source: qemu-kvm-1.5.3-105.el7_2.20.src.rpm x86_64: libcacard-1.5.3-105.el7_2.20.i686.rpm libcacard-1.5.3-105.el7_2.20.x86_64.rpm qemu-img-1.5.3-105.el7_2.20.x86_64.rpm qemu-kvm-1.5.3-105.el7_2.20.x86_64.rpm qemu-kvm-common-1.5.3-105.el7_2.20.x86_64.rpm qemu-kvm-debuginfo-1.5.3-105.el7_2.20.i686.rpm qemu-kvm-debuginfo-1.5.3-105.el7_2.20.x86_64.rpm qemu-kvm-tools-1.5.3-105.el7_2.20.x86_64.rpm Red Hat Enterprise Linux Server Optional AUS (v. 7.2): x86_64: libcacard-devel-1.5.3-105.el7_2.20.i686.rpm libcacard-devel-1.5.3-105.el7_2.20.x86_64.rpm libcacard-tools-1.5.3-105.el7_2.20.x86_64.rpm qemu-kvm-debuginfo-1.5.3-105.el7_2.20.i686.rpm qemu-kvm-debuginfo-1.5.3-105.el7_2.20.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-14364 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3LwONzjgjWX9erEAQj5nw//bynalGVu9Q6YyEO1apXvldBrm9WEzHKH Eecz72gCiPX2M1oFjpJjZgxhLmkSRk86B8SQEYxeAHFwBUgil5sys/EI/nKti91K sNJm9oxNahN4m3GqRvtA0KbeeNfGnZxW2XYr7QzrgbE+eTP2UXzJyjJ7u2zGVij4 Lt/tpBQ1VUVMONeZhKSTiXGcxd8mquSURjt1a3q4yZRcSheyvO5JFJSlzbcpNKo2 nGc00UDPycnM1+4ptPDc3A5/IyT0Pm6de/rK0dbTitdkS1TT6ff360OmaRqc58j+ ThHdW7cKxkLrmFKkaEDPfO4GMCJ3Ya7B84H280iZbGXuQdXh5rIrBgBxJYkU7qH/ 4JYWhdYnYW8Bh7I0awkhhQ2qWtW82B75rCZYQ0K+pVG/5/ULG/i4VtR129AjTN3S uz4FYYdami0eRYF2NhSe83LuwuOQFosrREKCxfUBAc84zdzi5YrdtVDIbLYAMeEE puQHLMVmlc/cLrixOkPvl/ibI3t9KogKb+GwC3+R81Hi2zSLRI1UlC2wBEB29Q9/ 1LhGddh+YsmpN8/O2fPvlNqlPS7xR4B64ZGdzA3m0FMuvsrOJ40e1QLAmwsuKJHx PppU4sX0Gum58mQDtqFMw5rgeotHyyiIxqNLDmGqh6xIY6uqvwJeiRxelMF5e3to zBGEiuqiZPY= =zRqI - -----END PGP SIGNATURE----- - ---------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: qemu-kvm-ma security update Advisory ID: RHSA-2020:4047-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4047 Issue date: 2020-09-29 CVE Names: CVE-2020-14364 ===================================================================== 1. Summary: An update for qemu-kvm-ma is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server EUS (v. 7.7) - ppc64, ppc64le, s390x Red Hat Enterprise Linux Server Optional EUS (v. 7.7) - ppc64 3. Description: Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-ma packages provide the user-space component for running virtual machines that use KVM on the IBM z Systems, IBM Power, and 64-bit ARM architectures. Security Fix(es): * QEMU: usb: out-of-bounds r/w access issue while processing usb packets (CVE-2020-14364) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets 6. Package List: Red Hat Enterprise Linux Server EUS (v. 7.7): Source: qemu-kvm-ma-2.12.0-33.el7_7.4.src.rpm ppc64: qemu-img-ma-2.12.0-33.el7_7.4.ppc64.rpm qemu-kvm-ma-debuginfo-2.12.0-33.el7_7.4.ppc64.rpm ppc64le: qemu-img-ma-2.12.0-33.el7_7.4.ppc64le.rpm qemu-kvm-common-ma-2.12.0-33.el7_7.4.ppc64le.rpm qemu-kvm-ma-2.12.0-33.el7_7.4.ppc64le.rpm qemu-kvm-ma-debuginfo-2.12.0-33.el7_7.4.ppc64le.rpm qemu-kvm-tools-ma-2.12.0-33.el7_7.4.ppc64le.rpm s390x: qemu-img-ma-2.12.0-33.el7_7.4.s390x.rpm qemu-kvm-common-ma-2.12.0-33.el7_7.4.s390x.rpm qemu-kvm-ma-2.12.0-33.el7_7.4.s390x.rpm qemu-kvm-ma-debuginfo-2.12.0-33.el7_7.4.s390x.rpm qemu-kvm-tools-ma-2.12.0-33.el7_7.4.s390x.rpm Red Hat Enterprise Linux Server Optional EUS (v. 7.7): ppc64: qemu-kvm-common-ma-2.12.0-33.el7_7.4.ppc64.rpm qemu-kvm-ma-2.12.0-33.el7_7.4.ppc64.rpm qemu-kvm-ma-debuginfo-2.12.0-33.el7_7.4.ppc64.rpm qemu-kvm-tools-ma-2.12.0-33.el7_7.4.ppc64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-14364 https://access.redhat.com/security/updates/classification/#important https://bugzilla.redhat.com/show_bug.cgi?id=1869705 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3L0W9zjgjWX9erEAQhVfg//bxgzPFA7Md+N9wS96YhkNRWEMoDjHP0h fYpPG5Ypr0rL4oJ4lRnugoP18nDx87I7r3EoB6i5b3YR43Eqg8p2Vz03k5OPzuyz WVyi8xwZ51mNxCVkSTSLcPMppjO04EZFx33LHfgI/sjXDLVZExB6fPudpX22Xn35 P6GvxJmEFNuXANHGpRA1t7OUgCaGBIZIMKdzgnvfuNAdkUK7eMYlp/XjesqAwL/l 5S9JtEXGCixOl/RuFl7hlWW/eIXpWbZalvEo1zpo3xYxI+jgHUQDbhsELFpN+4lS MjLF/WzyLVT4AYvjPDN1j7/W9E2YNTVx7mRztpk6NNTQ25o5rX4iEQTuUepTKE8t UrTwvjv8kkd4ltVBUzKyMghkwYs8U3EemzwUsH3xq/iyJkMd18ZSkZdCDpI6RwrT GtBLJ6i01Pq3eh4S83x8OHykXlDYhjns4cki1D3oQee7/iKz8/1sMBESURCcyzh0 U8E636u1D8AuA5qALpgBD3hpNZLNNXE9owx7yc8/s49q4H5Y5cX8yJZSLUzCw/s6 kXOX31Y38pabJoXBWfcRgYMugpkThuoO7El9SB62+lhU4adxYS1x7nv1M0Z9D94s JAI8mBwDC1lZ91Pj2g9RDxoDHhC84SCSBkR2nk+FEbeaVXghKrruzkukaG2bowuP T1pzOvlAxrI= =c4Os - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: qemu-kvm-ma security update Advisory ID: RHSA-2020:3907-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:3907 Issue date: 2020-09-29 CVE Names: CVE-2018-15746 CVE-2019-20382 ===================================================================== 1. Summary: An update for qemu-kvm-ma is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x Red Hat Enterprise Linux Server Optional (v. 7) - ppc64 3. Description: Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-ma packages provide the user-space component for running virtual machines that use KVM on the IBM z Systems, IBM Power, and 64-bit ARM architectures. Security Fix(es): * QEMU: seccomp: blacklist is not applied to all threads (CVE-2018-15746) * QEMU: vnc: memory leakage upon disconnect (CVE-2019-20382) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1615637 - CVE-2018-15746 QEMU: seccomp: blacklist is not applied to all threads 1810390 - CVE-2019-20382 QEMU: vnc: memory leakage upon disconnect 6. Package List: Red Hat Enterprise Linux Server (v. 7): Source: qemu-kvm-ma-2.12.0-48.el7.src.rpm ppc64: qemu-img-ma-2.12.0-48.el7.ppc64.rpm qemu-kvm-ma-debuginfo-2.12.0-48.el7.ppc64.rpm ppc64le: qemu-img-ma-2.12.0-48.el7.ppc64le.rpm qemu-kvm-common-ma-2.12.0-48.el7.ppc64le.rpm qemu-kvm-ma-2.12.0-48.el7.ppc64le.rpm qemu-kvm-ma-debuginfo-2.12.0-48.el7.ppc64le.rpm qemu-kvm-tools-ma-2.12.0-48.el7.ppc64le.rpm s390x: qemu-img-ma-2.12.0-48.el7.s390x.rpm qemu-kvm-common-ma-2.12.0-48.el7.s390x.rpm qemu-kvm-ma-2.12.0-48.el7.s390x.rpm qemu-kvm-ma-debuginfo-2.12.0-48.el7.s390x.rpm qemu-kvm-tools-ma-2.12.0-48.el7.s390x.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: qemu-kvm-common-ma-2.12.0-48.el7.ppc64.rpm qemu-kvm-ma-2.12.0-48.el7.ppc64.rpm qemu-kvm-ma-debuginfo-2.12.0-48.el7.ppc64.rpm qemu-kvm-tools-ma-2.12.0-48.el7.ppc64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-15746 https://access.redhat.com/security/cve/CVE-2019-20382 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3OjBdzjgjWX9erEAQj6gQ//SEWVHOdjJhjXKnCkeWEucrMHwwCkWRmI jHsSo2DoriKwmbAsUzBTT2OJq4gAHCp0gCk15ndqLFQgPT3mQ/JTscg1r8TOFu8C 1hXOXJphxZAQKvSxbfdQ2GreCkrMGTD7PnUmnk/23OfEfg+z2GIT6e/unsLvWhzi B4+CmXOCU4DvjImrkgPJQUqaYmvA4zH+Exoi30M0oM1Wm8Pc+V8bV0awFPyP/K2B +cStKzK4AwGsKB00kSz3kkLX7Q6AztHfD/39W+pI77rok3iKG933tkogoo+485Qc LN0GLLJMnu/bwXw6y44in67TuHC8uX0azOHLyBKBe2S0LEmO72fWq8zj8wQix3wi wBI/dooFzlrmlrZI+ftZGqoeigcd3VDaGu4ji5yo6a+2UuvawrAfdwha1vt16zaK Vy2Uqnfh+Kfc1bwqbG7aeDcFXAHUVJZLfQ69Pzp6ufsqlrTKi7KZAzx2u/QL+e/w aWuF1krI/rr07F3p7vewiL443FGAL9BcCFcGF8G42saovcwozn3Z1bQTU5+MJeRw M4lPJeyvbRbKUld7e/N9igzGr4wk3rdALKWo2JjwYrYvcPWd2AVEancY9gtnrnj5 x9GGq8oZMPd6WSnjnNxjpnPYwHrT3d61QslkghNBDoHmxb5rrTdyVzVW3guVYNaE y0GKn5Ljxig= =L1l0 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX3PBIuNLKJtyKPYoAQj6zRAAhTyrvGO1L16MvC3IfH/oavV91xHy9S4X qTUI/gEfrxsMV67va/WJ8QjP4cSHfXR7vdr+SrdXKTu4nJrJ2eaBBkP0U5HhSisC wd0ecK+KI0/bTdaIQv1WzW0K3VjvZzIxji34ZNp/ayKbE5mkUcGP6v4L5COSLICA 9lv2axPV0NiZniVRKw+Bvh7CTi2uZEaYW0eKeriGwZd4Jk6W8ve2eJiSxkahak9o nqozjY7XG9MD+HgYfH9SKzXyqYWOEGzqvRyUIGp2A2/zwxaOWtHiJm2inrFY/JxY DtoJQQ2AiVxtty5h5E+FyWlknVpOF81uCqCt0Izxe3A4n9wyCDSGHc6KF4MPZFan SzY4aKEg1p6pSJLRPC3/ssaDR+1nC+Tz0d2OxcCk78C45gfB1E/zvfm99W+NbTT4 PPl5tar1+LYl2V6sfqAxalTI4Nrwc0TMMx5bqdqZZpdnQGQOryKcpuugqiP5m7HL rI/l+iDO1p54Fl8lWnh+xxTWJb5aV5ADbsAuOXKNnyP08F3s+6LzhrByIjUAnhwc UwnNThT3Hl+n7ucBYliujguXS/Yw5NOIp8J+RevHXPmUS4EKXNnHpCqb7YNr2X19 cnkd/lbVB8qyKBxXkvym6L36LeCXWZfnX0GRCScUyA42BYbyQhwB3OicMwGooEiZ VfARdEFkdYM= =XWYn -----END PGP SIGNATURE-----