-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3344
                        qemu-kvm-ma security update
                             30 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           qemu-kvm-ma
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-14364 CVE-2019-20382 CVE-2018-15746

Reference:         ESB-2020.3189
                   ESB-2020.3048
                   ESB-2020.2899
                   ESB-2020.2656
                   ESB-2019.3067
                   ESB-2018.3883

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:4078
   https://access.redhat.com/errata/RHSA-2020:4055
   https://access.redhat.com/errata/RHSA-2020:4054
   https://access.redhat.com/errata/RHSA-2020:4053
   https://access.redhat.com/errata/RHSA-2020:4052
   https://access.redhat.com/errata/RHSA-2020:4051
   https://access.redhat.com/errata/RHSA-2020:4050
   https://access.redhat.com/errata/RHSA-2020:4048
   https://access.redhat.com/errata/RHSA-2020:4047
   https://access.redhat.com/errata/RHSA-2020:3907
   https://access.redhat.com/errata/RHSA-2020:3906

Comment: This bulletin contains eleven (11) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: qemu-kvm-ma security update
Advisory ID:       RHSA-2020:4078-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4078
Issue date:        2020-09-29
CVE Names:         CVE-2020-14364 
=====================================================================

1. Summary:

An update for qemu-kvm-ma is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64

3. Description:

Kernel-based Virtual Machine (KVM) is a full virtualization solution for
Linux on a variety of architectures. The qemu-kvm-ma packages provide the
user-space component for running virtual machines that use KVM on the IBM z
Systems, IBM Power, and 64-bit ARM architectures.

Security Fix(es):

* QEMU: usb: out-of-bounds r/w access issue while processing usb packets
(CVE-2020-14364)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets

6. Package List:

Red Hat Enterprise Linux Server (v. 7):

Source:
qemu-kvm-ma-2.12.0-48.el7_9.1.src.rpm

ppc64:
qemu-img-ma-2.12.0-48.el7_9.1.ppc64.rpm
qemu-kvm-ma-debuginfo-2.12.0-48.el7_9.1.ppc64.rpm

ppc64le:
qemu-img-ma-2.12.0-48.el7_9.1.ppc64le.rpm
qemu-kvm-common-ma-2.12.0-48.el7_9.1.ppc64le.rpm
qemu-kvm-ma-2.12.0-48.el7_9.1.ppc64le.rpm
qemu-kvm-ma-debuginfo-2.12.0-48.el7_9.1.ppc64le.rpm
qemu-kvm-tools-ma-2.12.0-48.el7_9.1.ppc64le.rpm

s390x:
qemu-img-ma-2.12.0-48.el7_9.1.s390x.rpm
qemu-kvm-common-ma-2.12.0-48.el7_9.1.s390x.rpm
qemu-kvm-ma-2.12.0-48.el7_9.1.s390x.rpm
qemu-kvm-ma-debuginfo-2.12.0-48.el7_9.1.s390x.rpm
qemu-kvm-tools-ma-2.12.0-48.el7_9.1.s390x.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:
qemu-kvm-common-ma-2.12.0-48.el7_9.1.ppc64.rpm
qemu-kvm-ma-2.12.0-48.el7_9.1.ppc64.rpm
qemu-kvm-ma-debuginfo-2.12.0-48.el7_9.1.ppc64.rpm
qemu-kvm-tools-ma-2.12.0-48.el7_9.1.ppc64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14364
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX3OyM9zjgjWX9erEAQhq2g//SbOVBkolkAk3NR0OIEIlAipRI7Bk4PvL
CgRuOvp5AJYlS5mSF3BKhDCZVucJ6zCrlXnO9eDt7bcN+14YxVXjYjZcGI2Gv0d7
G9WggQG1Lt5OLE36rIhMz7SMrZEzu0g5gBGFGK93LL1rs5snWHEGG3g86iMqMIic
IW+mLL9z0tVkow0lfsPbQs05nldkEA9nDWFdVV3ozj42r86VpGKBr1QdyGQv+sXA
1S2umdiI8FMVlD4YupBR0jRCP3EUnTZbTUjF20zBgBHxdZ3PVqr8obEXEaEAZ6Wv
kuyDldkoMRcT2itPL1oAKNeufbcf+eXhczwBPKO+3vn7lmNRSdasX9PLfkRSmJuw
sDIAtPBJCBDXiUWWcvpzsmhfUimp4zXOPLbAKOd8P9N1BC29fGGj4EH1N46CeduP
pE4aHXJTsebmkhClDlBU7v4OrpPy2195bQelMnty7xyV+GLRSRFDLDoi8YochlYP
islUyjLObWixg26XCOz7NtcCBCQbqiroWmcVecNxsy6cask9b757l0vKSnDRPrO4
1glsFgmIyVRVAGxWx/KpKBAwdocyc4plgnPusvxnZXnoVo0CZ7I+l6+0e/7gof/4
HTBp2lPz/1hHKVmnIvoBFOGPegDFPToYLjQYE5QUPX9pyHu1dNC6fdvOyUEd5qcy
I7HiS1F7Clo=
=htH1
- -----END PGP SIGNATURE-----

- -----------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: qemu-kvm security update
Advisory ID:       RHSA-2020:4055-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4055
Issue date:        2020-09-29
CVE Names:         CVE-2020-14364 
=====================================================================

1. Summary:

An update for qemu-kvm is now available for Red Hat Enterprise Linux 6.6
Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 6.6) - x86_64

3. Description:

Kernel-based Virtual Machine (KVM) is a full virtualization solution for
Linux on a variety of architectures. The qemu-kvm packages provide the
user-space component for running virtual machines that use KVM.

Security Fix(es):

* QEMU: usb: out-of-bounds r/w access issue while processing usb packets
(CVE-2020-14364)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 6.6):

Source:
qemu-kvm-0.12.1.2-2.448.el6_6.9.src.rpm

x86_64:
qemu-guest-agent-0.12.1.2-2.448.el6_6.9.x86_64.rpm
qemu-img-0.12.1.2-2.448.el6_6.9.x86_64.rpm
qemu-kvm-0.12.1.2-2.448.el6_6.9.x86_64.rpm
qemu-kvm-debuginfo-0.12.1.2-2.448.el6_6.9.x86_64.rpm
qemu-kvm-tools-0.12.1.2-2.448.el6_6.9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14364
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX3LwHtzjgjWX9erEAQhVOw//V/e+d+KcgfT1OL0YV9WEEF9lPckL1AJZ
pBa46SokohaZykjy4VcIUEwgo1kTZgcbqsndsz4taT5MtknGolssfCyw0gx8a08r
6cwnFV8aKMyVDQx0WJDrgLXz1x36LrhDj+RY//CDKApFd4RYBzS4TMPbmWfYf+hH
m/VZaOm8c8imyWkKIDLXHjVTLNCc6qG0KbyOjbngeGMPgELQ4QQ0wFZVZAz5hRhr
KjW3GYuadPfGBWPamjyUzfNKITZ5QOiRm8vAJivN5KOnJLFWRNjyneht7uSX+PA1
ZFZfjInGsf28dlvQWsUCLcOC3wrjcOYtDDlOn2yO4IOLxiVQi0AbDMnMgNQy+009
cq959yfzHR1VRjJqytTbQDMYS7c/y1jtfu50Qgo6V9YeejREMgiMCRVW2aw+0ihF
nnZToCJRUtRMDSHVIW12V39zpYUqzSmepf+Kh9Wbkl84zmsoXJzUwTyXTdMB+C3I
PUIKZOpdHsGYpnQY4YjgNwuJpi71jxGGubZQzheIK90A/p+OR3ztg7GrBL8PTarV
RWNpBldsS+x7rJ0rNEtsVuvfS+S3dxIGKrUOnOf34Hu12EAjEBGHFPBWKOFP2VcN
XTXVse+OjV8HA26oUQMcpTcFMx8bC4OwaXxaTfbkfIAM7TY+XcP0NrCBbdDYfAJb
Z57ISWcjRlo=
=sHqz
- -----END PGP SIGNATURE-----

- ------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: qemu-kvm security update
Advisory ID:       RHSA-2020:4054-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4054
Issue date:        2020-09-29
CVE Names:         CVE-2020-14364 
=====================================================================

1. Summary:

An update for qemu-kvm is now available for Red Hat Enterprise Linux 6.5
Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 6.5) - x86_64

3. Description:

Kernel-based Virtual Machine (KVM) is a full virtualization solution for
Linux on a variety of architectures. The qemu-kvm packages provide the
user-space component for running virtual machines that use KVM.

Security Fix(es):

* QEMU: usb: out-of-bounds r/w access issue while processing usb packets
(CVE-2020-14364)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 6.5):

Source:
qemu-kvm-0.12.1.2-2.415.el6_5.21.src.rpm

x86_64:
qemu-guest-agent-0.12.1.2-2.415.el6_5.21.x86_64.rpm
qemu-img-0.12.1.2-2.415.el6_5.21.x86_64.rpm
qemu-kvm-0.12.1.2-2.415.el6_5.21.x86_64.rpm
qemu-kvm-debuginfo-0.12.1.2-2.415.el6_5.21.x86_64.rpm
qemu-kvm-tools-0.12.1.2-2.415.el6_5.21.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14364
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX3Lv5tzjgjWX9erEAQiYwhAApngzGEkX6Nc/ULx2fIWNJ7e0RQbEZsop
b3kfQ7owBbSl+QRN/zR4Z/ztBi5UygrauxcHtHEeVVuCZ2ILIVu7TePF3ypvRMKa
Wf/U/cizbUtbsUOybzdJKU+HAYuKTwmQ/4ywP0ER6jLOr0uxTp6tkQtPIW4H46hp
jKfyDtJEI55JAII3g4YUuoanwSNA4L9iwLmZx2jfsJ1FGPmeXDRmkLyGtvndcsyk
iEgvAqQQPe5w88Ptx3pohIi6Df7fWsfIhIP1LQE31dAjNc+mbl0RQ0cFpHlcE/5F
qGcGr2BMBdeHQVNOEG6Img19qckFklym21YHPNp68z2WOkHqV5tfzX/9uGHgIC1D
z86SlPt7PDwJ5cl6vQ2i4cI8wk3ojpkt/sAkTltGymSMtNC+3q/3J0Jwj6yqoBXT
g++SXnO3AeAZQlr2XxRfkvsGu066g2XnWV7lXWnZM3/KdfOZzt34bd1OOxMTtpqo
91QpqW2QOwJBwkreCyqZ/SnvcESCknhBoctFQzI367tx+/nm2LjRArn0xFZsFP1+
P7zM5yzGMHcMwYq0OT4tGBKsqecLCZnxGUnouPDz4sEFUSQPGYrag/Y5vKJx3Xcg
b4jJXtZ/Yebl+PBCqheK2fm6hW4FxcPeqEOsJcJyhxWHuQN2BVjzlQY0MjSilD54
nAFaGLRrvQM=
=S1gF
- -----END PGP SIGNATURE-----

- ------------------------------------------------------------------------------

- ----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: qemu-kvm security update
Advisory ID:       RHSA-2020:4053-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4053
Issue date:        2020-09-29
CVE Names:         CVE-2020-14364 
=====================================================================

1. Summary:

An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.7
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.7) - x86_64
Red Hat Enterprise Linux Server EUS (v. 7.7) - x86_64

3. Description:

Kernel-based Virtual Machine (KVM) is a full virtualization solution for
Linux on a variety of architectures. The qemu-kvm packages provide the
user-space component for running virtual machines that use KVM.

Security Fix(es):

* QEMU: usb: out-of-bounds r/w access issue while processing usb packets
(CVE-2020-14364)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets

6. Package List:

Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.7):

Source:
qemu-kvm-1.5.3-167.el7_7.7.src.rpm

x86_64:
qemu-img-1.5.3-167.el7_7.7.x86_64.rpm
qemu-kvm-1.5.3-167.el7_7.7.x86_64.rpm
qemu-kvm-common-1.5.3-167.el7_7.7.x86_64.rpm
qemu-kvm-debuginfo-1.5.3-167.el7_7.7.x86_64.rpm
qemu-kvm-tools-1.5.3-167.el7_7.7.x86_64.rpm

Red Hat Enterprise Linux Server EUS (v. 7.7):

Source:
qemu-kvm-1.5.3-167.el7_7.7.src.rpm

x86_64:
qemu-img-1.5.3-167.el7_7.7.x86_64.rpm
qemu-kvm-1.5.3-167.el7_7.7.x86_64.rpm
qemu-kvm-common-1.5.3-167.el7_7.7.x86_64.rpm
qemu-kvm-debuginfo-1.5.3-167.el7_7.7.x86_64.rpm
qemu-kvm-tools-1.5.3-167.el7_7.7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14364
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX3NTCtzjgjWX9erEAQht1A//YHMvIDMzSbQDMN+dImOj7rS4x/HF5sKx
fuN+3rZvuNMyLeL6tz9mygsA2GbfdlcL6PQSqrttzfS5DIflOrxvD3Y8SK8aJDxI
IALeONd5U6p1xnLEBWk6cKvkcZvNjzpmee3P431vRKUiPyGjUruvr91FbMTewncM
4+Lu1GIN8PDpQ+zMFqBKfNgbuH5oYRfDgu8K684BvANBDznRjDEDQRsNhHhWMa9+
gNp57gW7+5oEi9l5Wv+KciCyvcO8dKke6lUon9+f8Q/F+sifpwozbiMVVMvheljg
LdLBH7geKFjIxcQ+mMVNJ7RPM+ExsfqdudSse9aswJo78rSSEgRxWWb1ZIpn0svG
QsRLL1LXacHmboiyzkWQ/tWO9mKR7GJkvyOGYNDX9CV1jD7S3j9IVgNhRqM3sIXP
U75tnlRTzY0DpZD+AqS/bJwc967KTskVER2MPsXKWQH/AuqD8xINVpQC9rCg83R1
FdJVHOvSJj9k3Kz13p4p9VSLsmjIh9V4iVDRZii6fvmoShPB2FBYUQh/bd0JdC30
WWC/xa99A0vMhov+eUW6vTiTmzPN8ffAXOHKePPW6skvlnXTmHsbOyOJO2uH6t7T
fHxpIA9GJ06CDRVi1wWOq/ITW3iU7QyFG2LYwzMw8ZWREOAxqbe9gjzr9ekKzh2u
0XaWT0AvKqU=
=a02r
- -----END PGP SIGNATURE-----

- -----------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: qemu-kvm security update
Advisory ID:       RHSA-2020:4052-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4052
Issue date:        2020-09-29
CVE Names:         CVE-2020-14364 
=====================================================================

1. Summary:

An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.6
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.6) - x86_64
Red Hat Enterprise Linux Server EUS (v. 7.6) - x86_64

3. Description:

Kernel-based Virtual Machine (KVM) is a full virtualization solution for
Linux on a variety of architectures. The qemu-kvm packages provide the
user-space component for running virtual machines that use KVM.

Security Fix(es):

* QEMU: usb: out-of-bounds r/w access issue while processing usb packets
(CVE-2020-14364)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets

6. Package List:

Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.6):

Source:
qemu-kvm-1.5.3-160.el7_6.8.src.rpm

x86_64:
qemu-img-1.5.3-160.el7_6.8.x86_64.rpm
qemu-kvm-1.5.3-160.el7_6.8.x86_64.rpm
qemu-kvm-common-1.5.3-160.el7_6.8.x86_64.rpm
qemu-kvm-debuginfo-1.5.3-160.el7_6.8.x86_64.rpm
qemu-kvm-tools-1.5.3-160.el7_6.8.x86_64.rpm

Red Hat Enterprise Linux Server EUS (v. 7.6):

Source:
qemu-kvm-1.5.3-160.el7_6.8.src.rpm

x86_64:
qemu-img-1.5.3-160.el7_6.8.x86_64.rpm
qemu-kvm-1.5.3-160.el7_6.8.x86_64.rpm
qemu-kvm-common-1.5.3-160.el7_6.8.x86_64.rpm
qemu-kvm-debuginfo-1.5.3-160.el7_6.8.x86_64.rpm
qemu-kvm-tools-1.5.3-160.el7_6.8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14364
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX3NRZtzjgjWX9erEAQjmIg//UH7HeBSkE96gdYB8FEAJONFvw2PonCjH
oxk4qJVUI+XA6IgxFVqFC7pPaTUGtUyHMdOVQBCkb0SuPw6DFAT84VAcX8vfykPW
CTC2bo/VIvdQqwpNrJQQL4ZN49WI6HhrTJP+bzMleg32Dp1myqBi32dBtJBKAwwH
k3x9Z4qU4L1IQQ2GURY+wu2sEyA93T9qhtGETvO/TQZ1I9iz5JfEca1edxs58EHx
BIWJXtAL5C2/QdS5tC/XY7HpUdlOGuCgtwqFNwkgtOIwEwX1SpFTAqzu9d4bqo0M
kdpnfRGu+OvTJ3AJjUjx8HiRZNYgNVp98ZkucYj/WLzTdP2rnkbBIu4Vv1AbID9U
mIIaAwZsTh/CFdVekbMr/xBHgJtTQ/S9FZYP2K34VG1xBCtmFGxgJO5wScKhoLdx
tk2mrAH86b6Ncs2Is2uvkZbs9nXALmvX0aK2zzC4r7922MugePfcGHlIifY+92uf
Bpd2Nn9mLAIZyMDKd3xJN0SGTG55NHH2d0TXbz/Yu0SEu9Ie4D76mvaahGPA0fo4
6zImpdOiQSZgkb9DINfmxakUjcvRWre+6gNPZJS/YuirShyA89Ei7mOGfHirCiiB
pb64+OdEfj0J64tN15eIJMY8paebu4Mrdf3BfKgRxnGiFV/8YnP0h1kyxvSbyjix
xr5nNmktosI=
=dTBV
- -----END PGP SIGNATURE-----

- ----------------------------------------------------------------------------

- ----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: qemu-kvm security update
Advisory ID:       RHSA-2020:4051-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4051
Issue date:        2020-09-29
CVE Names:         CVE-2020-14364 
=====================================================================

1. Summary:

An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.4
Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update
Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP
Solutions.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 7.4) - x86_64
Red Hat Enterprise Linux Server E4S (v. 7.4) - ppc64le, x86_64
Red Hat Enterprise Linux Server TUS (v. 7.4) - x86_64

3. Description:

Kernel-based Virtual Machine (KVM) is a full virtualization solution for
Linux on a variety of architectures. The qemu-kvm packages provide the
user-space component for running virtual machines that use KVM.

Security Fix(es):

* QEMU: usb: out-of-bounds r/w access issue while processing usb packets
(CVE-2020-14364)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 7.4):

Source:
qemu-kvm-1.5.3-141.el7_4.11.src.rpm

x86_64:
qemu-img-1.5.3-141.el7_4.11.x86_64.rpm
qemu-kvm-1.5.3-141.el7_4.11.x86_64.rpm
qemu-kvm-common-1.5.3-141.el7_4.11.x86_64.rpm
qemu-kvm-debuginfo-1.5.3-141.el7_4.11.x86_64.rpm
qemu-kvm-tools-1.5.3-141.el7_4.11.x86_64.rpm

Red Hat Enterprise Linux Server E4S (v. 7.4):

Source:
qemu-kvm-1.5.3-141.el7_4.11.src.rpm

ppc64le:
qemu-img-1.5.3-141.el7_4.11.ppc64le.rpm
qemu-kvm-debuginfo-1.5.3-141.el7_4.11.ppc64le.rpm

x86_64:
qemu-img-1.5.3-141.el7_4.11.x86_64.rpm
qemu-kvm-1.5.3-141.el7_4.11.x86_64.rpm
qemu-kvm-common-1.5.3-141.el7_4.11.x86_64.rpm
qemu-kvm-debuginfo-1.5.3-141.el7_4.11.x86_64.rpm
qemu-kvm-tools-1.5.3-141.el7_4.11.x86_64.rpm

Red Hat Enterprise Linux Server TUS (v. 7.4):

Source:
qemu-kvm-1.5.3-141.el7_4.11.src.rpm

x86_64:
qemu-img-1.5.3-141.el7_4.11.x86_64.rpm
qemu-kvm-1.5.3-141.el7_4.11.x86_64.rpm
qemu-kvm-common-1.5.3-141.el7_4.11.x86_64.rpm
qemu-kvm-debuginfo-1.5.3-141.el7_4.11.x86_64.rpm
qemu-kvm-tools-1.5.3-141.el7_4.11.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14364
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX3L0H9zjgjWX9erEAQii3g/8Duqw0GvoFshzbPRUCeoR7lE9hgKnskXL
EpM49d9SkJonxLYXgQJqlzeETsbonCFKe5RqxiFJWLWn/PguYL4TPxlLzEh93vaU
SyM68LaST1dceUTtYpyiYpLfznSMTORgNNmwQ0OK6rNaL7gSBBidSn3Njd3dFdOZ
ckgpXxFg4lP3uaxp+DspxKgDK/2Nhtnky9T7VJokriqC/6FJ5DPXMG0U0wyHe1Pn
5OGKYirbr0p4YGSTjn/pB1SiDfPWF3cslMkjbjELTwFSVUe1xEtB65GeOvUhexag
1sTclW+eyKb0yuGT6l12o00xt+lu/osmmOOUZsqbro29zXc4JxS4fujcv1658MqI
L4CGA/k7EYdSocHw4K+YjnWqFs1fEyMA94XGFvVyg4aXaXZaUjrYMJaUnrhaOToT
QqPokWT8El4K48n9BvWOvcli09P3asOgAttxH4tFy5dY6sk4LaZJ7/WC8ujqMhxP
2clYn/CA21BIw0nxE7MHH2zOSmWQrxvGbuH4Jc0nHhW8iAuyDOzay+EUhCxlEzb+
2ZriDS+1kdHOglIGh+8WNgTDKHVCr+Pg5U96KXciohHPiMp0axcRy9jIL1qIBa9j
62yw7qRfhyGJxQenlwOa1i0/XpIDhuhc8C/2liZr0ROIfeqj3DGaR6D6F5fOySNx
KAU17fSSnEE=
=cgUg
- -----END PGP SIGNATURE-----

- -----------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: qemu-kvm security update
Advisory ID:       RHSA-2020:4050-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4050
Issue date:        2020-09-29
CVE Names:         CVE-2020-14364 
=====================================================================

1. Summary:

An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.3
Advanced Update Support, Red Hat Enterprise Linux 7.3 Telco Extended Update
Support, and Red Hat Enterprise Linux 7.3 Update Services for SAP
Solutions.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 7.3) - x86_64
Red Hat Enterprise Linux Server E4S (v. 7.3) - ppc64le, x86_64
Red Hat Enterprise Linux Server TUS (v. 7.3) - x86_64

3. Description:

Kernel-based Virtual Machine (KVM) is a full virtualization solution for
Linux on a variety of architectures. The qemu-kvm packages provide the
user-space component for running virtual machines that use KVM.

Security Fix(es):

* QEMU: usb: out-of-bounds r/w access issue while processing usb packets
(CVE-2020-14364)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 7.3):

Source:
qemu-kvm-1.5.3-126.el7_3.18.src.rpm

x86_64:
qemu-img-1.5.3-126.el7_3.18.x86_64.rpm
qemu-kvm-1.5.3-126.el7_3.18.x86_64.rpm
qemu-kvm-common-1.5.3-126.el7_3.18.x86_64.rpm
qemu-kvm-debuginfo-1.5.3-126.el7_3.18.x86_64.rpm
qemu-kvm-tools-1.5.3-126.el7_3.18.x86_64.rpm

Red Hat Enterprise Linux Server E4S (v. 7.3):

Source:
qemu-kvm-1.5.3-126.el7_3.18.src.rpm

ppc64le:
qemu-img-1.5.3-126.el7_3.18.ppc64le.rpm
qemu-kvm-debuginfo-1.5.3-126.el7_3.18.ppc64le.rpm

x86_64:
qemu-img-1.5.3-126.el7_3.18.x86_64.rpm
qemu-kvm-1.5.3-126.el7_3.18.x86_64.rpm
qemu-kvm-common-1.5.3-126.el7_3.18.x86_64.rpm
qemu-kvm-debuginfo-1.5.3-126.el7_3.18.x86_64.rpm
qemu-kvm-tools-1.5.3-126.el7_3.18.x86_64.rpm

Red Hat Enterprise Linux Server TUS (v. 7.3):

Source:
qemu-kvm-1.5.3-126.el7_3.18.src.rpm

x86_64:
qemu-img-1.5.3-126.el7_3.18.x86_64.rpm
qemu-kvm-1.5.3-126.el7_3.18.x86_64.rpm
qemu-kvm-common-1.5.3-126.el7_3.18.x86_64.rpm
qemu-kvm-debuginfo-1.5.3-126.el7_3.18.x86_64.rpm
qemu-kvm-tools-1.5.3-126.el7_3.18.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14364
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX3Lz4tzjgjWX9erEAQiB9g/+LKFFACk/H/QjeLlGl7O5PvGVXUOMUIWr
+ygKqPvvrQWebUUnw2lKZlmqotSDoYZGANltEGCpn9/2FZPl+Iiva9ZZCJPY0xit
R1xghoCE/x+iUhK6aGSdcUjom3nRgzlL7lWUckgVJGLB7hvbTkkh38rSctuivnJv
t7ujt5wo7W4DRl5ixX2UFFiFT0FCOmXzFTEWcWg+6f5xkd8dtn/fXjJzS0T42/eG
qhFK8Z74OQK/P+ochQ3wmF8Lqbf8jCVNl+ImIl9Ya0RvisNwH22DyvHiV4T6iY/Q
fjtXql3AuGJ8/xQ8pRdAtbFStWB5NeF7ost6nk/VEulFn58lynr4auxKdcW9xGJZ
hWZZkKeaWpprBr7HOZFNYJ74oDDsQf+l6cnTOxCO/9MXebQUc85g/A9/L1dHtP2h
CioR2NU+rMej2X7uQxDCtEdcm5zHb2rRC/GXGnQOhP4tSfs5OJWth1Clio2sjTLQ
hGGO5LBA5Z5nM+C2fJ6aZIctA8t+vckLp0tAfO/r9HDv3EL3UtLco5qI87K4eEa6
HAr3MwhQe6Sl7sVmSP9j2TCvSpAUe+AskgVxSvZXXjgA8KiThVycEn+8E72iNz6Q
s6SbX/K2FdhTtw4finnZNSYzRjuNWLQQ6LK67HhOGPMi3k9QJMYP3TMYIZ6BbzQv
vZ4QbVk89PM=
=wdu3
- -----END PGP SIGNATURE-----

- ------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: qemu-kvm security update
Advisory ID:       RHSA-2020:4048-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4048
Issue date:        2020-09-29
CVE Names:         CVE-2020-14364 
=====================================================================

1. Summary:

An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.2
Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 7.2) - x86_64
Red Hat Enterprise Linux Server Optional AUS (v. 7.2) - x86_64

3. Description:

Kernel-based Virtual Machine (KVM) is a full virtualization solution for
Linux on a variety of architectures. The qemu-kvm packages provide the
user-space component for running virtual machines that use KVM.

Security Fix(es):

* QEMU: usb: out-of-bounds r/w access issue while processing usb packets
(CVE-2020-14364)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 7.2):

Source:
qemu-kvm-1.5.3-105.el7_2.20.src.rpm

x86_64:
libcacard-1.5.3-105.el7_2.20.i686.rpm
libcacard-1.5.3-105.el7_2.20.x86_64.rpm
qemu-img-1.5.3-105.el7_2.20.x86_64.rpm
qemu-kvm-1.5.3-105.el7_2.20.x86_64.rpm
qemu-kvm-common-1.5.3-105.el7_2.20.x86_64.rpm
qemu-kvm-debuginfo-1.5.3-105.el7_2.20.i686.rpm
qemu-kvm-debuginfo-1.5.3-105.el7_2.20.x86_64.rpm
qemu-kvm-tools-1.5.3-105.el7_2.20.x86_64.rpm

Red Hat Enterprise Linux Server Optional AUS (v. 7.2):

x86_64:
libcacard-devel-1.5.3-105.el7_2.20.i686.rpm
libcacard-devel-1.5.3-105.el7_2.20.x86_64.rpm
libcacard-tools-1.5.3-105.el7_2.20.x86_64.rpm
qemu-kvm-debuginfo-1.5.3-105.el7_2.20.i686.rpm
qemu-kvm-debuginfo-1.5.3-105.el7_2.20.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14364
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX3LwONzjgjWX9erEAQj5nw//bynalGVu9Q6YyEO1apXvldBrm9WEzHKH
Eecz72gCiPX2M1oFjpJjZgxhLmkSRk86B8SQEYxeAHFwBUgil5sys/EI/nKti91K
sNJm9oxNahN4m3GqRvtA0KbeeNfGnZxW2XYr7QzrgbE+eTP2UXzJyjJ7u2zGVij4
Lt/tpBQ1VUVMONeZhKSTiXGcxd8mquSURjt1a3q4yZRcSheyvO5JFJSlzbcpNKo2
nGc00UDPycnM1+4ptPDc3A5/IyT0Pm6de/rK0dbTitdkS1TT6ff360OmaRqc58j+
ThHdW7cKxkLrmFKkaEDPfO4GMCJ3Ya7B84H280iZbGXuQdXh5rIrBgBxJYkU7qH/
4JYWhdYnYW8Bh7I0awkhhQ2qWtW82B75rCZYQ0K+pVG/5/ULG/i4VtR129AjTN3S
uz4FYYdami0eRYF2NhSe83LuwuOQFosrREKCxfUBAc84zdzi5YrdtVDIbLYAMeEE
puQHLMVmlc/cLrixOkPvl/ibI3t9KogKb+GwC3+R81Hi2zSLRI1UlC2wBEB29Q9/
1LhGddh+YsmpN8/O2fPvlNqlPS7xR4B64ZGdzA3m0FMuvsrOJ40e1QLAmwsuKJHx
PppU4sX0Gum58mQDtqFMw5rgeotHyyiIxqNLDmGqh6xIY6uqvwJeiRxelMF5e3to
zBGEiuqiZPY=
=zRqI
- -----END PGP SIGNATURE-----

- ----------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: qemu-kvm-ma security update
Advisory ID:       RHSA-2020:4047-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4047
Issue date:        2020-09-29
CVE Names:         CVE-2020-14364 
=====================================================================

1. Summary:

An update for qemu-kvm-ma is now available for Red Hat Enterprise Linux 7.7
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server EUS (v. 7.7) - ppc64, ppc64le, s390x
Red Hat Enterprise Linux Server Optional EUS (v. 7.7) - ppc64

3. Description:

Kernel-based Virtual Machine (KVM) is a full virtualization solution for
Linux on a variety of architectures. The qemu-kvm-ma packages provide the
user-space component for running virtual machines that use KVM on the IBM z
Systems, IBM Power, and 64-bit ARM architectures.

Security Fix(es):

* QEMU: usb: out-of-bounds r/w access issue while processing usb packets
(CVE-2020-14364)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1869201 - CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets

6. Package List:

Red Hat Enterprise Linux Server EUS (v. 7.7):

Source:
qemu-kvm-ma-2.12.0-33.el7_7.4.src.rpm

ppc64:
qemu-img-ma-2.12.0-33.el7_7.4.ppc64.rpm
qemu-kvm-ma-debuginfo-2.12.0-33.el7_7.4.ppc64.rpm

ppc64le:
qemu-img-ma-2.12.0-33.el7_7.4.ppc64le.rpm
qemu-kvm-common-ma-2.12.0-33.el7_7.4.ppc64le.rpm
qemu-kvm-ma-2.12.0-33.el7_7.4.ppc64le.rpm
qemu-kvm-ma-debuginfo-2.12.0-33.el7_7.4.ppc64le.rpm
qemu-kvm-tools-ma-2.12.0-33.el7_7.4.ppc64le.rpm

s390x:
qemu-img-ma-2.12.0-33.el7_7.4.s390x.rpm
qemu-kvm-common-ma-2.12.0-33.el7_7.4.s390x.rpm
qemu-kvm-ma-2.12.0-33.el7_7.4.s390x.rpm
qemu-kvm-ma-debuginfo-2.12.0-33.el7_7.4.s390x.rpm
qemu-kvm-tools-ma-2.12.0-33.el7_7.4.s390x.rpm

Red Hat Enterprise Linux Server Optional EUS (v. 7.7):

ppc64:
qemu-kvm-common-ma-2.12.0-33.el7_7.4.ppc64.rpm
qemu-kvm-ma-2.12.0-33.el7_7.4.ppc64.rpm
qemu-kvm-ma-debuginfo-2.12.0-33.el7_7.4.ppc64.rpm
qemu-kvm-tools-ma-2.12.0-33.el7_7.4.ppc64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14364
https://access.redhat.com/security/updates/classification/#important
https://bugzilla.redhat.com/show_bug.cgi?id=1869705

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX3L0W9zjgjWX9erEAQhVfg//bxgzPFA7Md+N9wS96YhkNRWEMoDjHP0h
fYpPG5Ypr0rL4oJ4lRnugoP18nDx87I7r3EoB6i5b3YR43Eqg8p2Vz03k5OPzuyz
WVyi8xwZ51mNxCVkSTSLcPMppjO04EZFx33LHfgI/sjXDLVZExB6fPudpX22Xn35
P6GvxJmEFNuXANHGpRA1t7OUgCaGBIZIMKdzgnvfuNAdkUK7eMYlp/XjesqAwL/l
5S9JtEXGCixOl/RuFl7hlWW/eIXpWbZalvEo1zpo3xYxI+jgHUQDbhsELFpN+4lS
MjLF/WzyLVT4AYvjPDN1j7/W9E2YNTVx7mRztpk6NNTQ25o5rX4iEQTuUepTKE8t
UrTwvjv8kkd4ltVBUzKyMghkwYs8U3EemzwUsH3xq/iyJkMd18ZSkZdCDpI6RwrT
GtBLJ6i01Pq3eh4S83x8OHykXlDYhjns4cki1D3oQee7/iKz8/1sMBESURCcyzh0
U8E636u1D8AuA5qALpgBD3hpNZLNNXE9owx7yc8/s49q4H5Y5cX8yJZSLUzCw/s6
kXOX31Y38pabJoXBWfcRgYMugpkThuoO7El9SB62+lhU4adxYS1x7nv1M0Z9D94s
JAI8mBwDC1lZ91Pj2g9RDxoDHhC84SCSBkR2nk+FEbeaVXghKrruzkukaG2bowuP
T1pzOvlAxrI=
=c4Os
- -----END PGP SIGNATURE-----

- -----------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: qemu-kvm-ma security update
Advisory ID:       RHSA-2020:3907-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3907
Issue date:        2020-09-29
CVE Names:         CVE-2018-15746 CVE-2019-20382 
=====================================================================

1. Summary:

An update for qemu-kvm-ma is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64

3. Description:

Kernel-based Virtual Machine (KVM) is a full virtualization solution for
Linux on a variety of architectures. The qemu-kvm-ma packages provide the
user-space component for running virtual machines that use KVM on the IBM z
Systems, IBM Power, and 64-bit ARM architectures.

Security Fix(es):

* QEMU: seccomp: blacklist is not applied to all threads (CVE-2018-15746)

* QEMU: vnc: memory leakage upon disconnect (CVE-2019-20382)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.9 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1615637 - CVE-2018-15746 QEMU: seccomp: blacklist is not applied to all threads
1810390 - CVE-2019-20382 QEMU: vnc: memory leakage upon disconnect

6. Package List:

Red Hat Enterprise Linux Server (v. 7):

Source:
qemu-kvm-ma-2.12.0-48.el7.src.rpm

ppc64:
qemu-img-ma-2.12.0-48.el7.ppc64.rpm
qemu-kvm-ma-debuginfo-2.12.0-48.el7.ppc64.rpm

ppc64le:
qemu-img-ma-2.12.0-48.el7.ppc64le.rpm
qemu-kvm-common-ma-2.12.0-48.el7.ppc64le.rpm
qemu-kvm-ma-2.12.0-48.el7.ppc64le.rpm
qemu-kvm-ma-debuginfo-2.12.0-48.el7.ppc64le.rpm
qemu-kvm-tools-ma-2.12.0-48.el7.ppc64le.rpm

s390x:
qemu-img-ma-2.12.0-48.el7.s390x.rpm
qemu-kvm-common-ma-2.12.0-48.el7.s390x.rpm
qemu-kvm-ma-2.12.0-48.el7.s390x.rpm
qemu-kvm-ma-debuginfo-2.12.0-48.el7.s390x.rpm
qemu-kvm-tools-ma-2.12.0-48.el7.s390x.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:
qemu-kvm-common-ma-2.12.0-48.el7.ppc64.rpm
qemu-kvm-ma-2.12.0-48.el7.ppc64.rpm
qemu-kvm-ma-debuginfo-2.12.0-48.el7.ppc64.rpm
qemu-kvm-tools-ma-2.12.0-48.el7.ppc64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-15746
https://access.redhat.com/security/cve/CVE-2019-20382
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX3OjBdzjgjWX9erEAQj6gQ//SEWVHOdjJhjXKnCkeWEucrMHwwCkWRmI
jHsSo2DoriKwmbAsUzBTT2OJq4gAHCp0gCk15ndqLFQgPT3mQ/JTscg1r8TOFu8C
1hXOXJphxZAQKvSxbfdQ2GreCkrMGTD7PnUmnk/23OfEfg+z2GIT6e/unsLvWhzi
B4+CmXOCU4DvjImrkgPJQUqaYmvA4zH+Exoi30M0oM1Wm8Pc+V8bV0awFPyP/K2B
+cStKzK4AwGsKB00kSz3kkLX7Q6AztHfD/39W+pI77rok3iKG933tkogoo+485Qc
LN0GLLJMnu/bwXw6y44in67TuHC8uX0azOHLyBKBe2S0LEmO72fWq8zj8wQix3wi
wBI/dooFzlrmlrZI+ftZGqoeigcd3VDaGu4ji5yo6a+2UuvawrAfdwha1vt16zaK
Vy2Uqnfh+Kfc1bwqbG7aeDcFXAHUVJZLfQ69Pzp6ufsqlrTKi7KZAzx2u/QL+e/w
aWuF1krI/rr07F3p7vewiL443FGAL9BcCFcGF8G42saovcwozn3Z1bQTU5+MJeRw
M4lPJeyvbRbKUld7e/N9igzGr4wk3rdALKWo2JjwYrYvcPWd2AVEancY9gtnrnj5
x9GGq8oZMPd6WSnjnNxjpnPYwHrT3d61QslkghNBDoHmxb5rrTdyVzVW3guVYNaE
y0GKn5Ljxig=
=L1l0
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3PBIuNLKJtyKPYoAQj6zRAAhTyrvGO1L16MvC3IfH/oavV91xHy9S4X
qTUI/gEfrxsMV67va/WJ8QjP4cSHfXR7vdr+SrdXKTu4nJrJ2eaBBkP0U5HhSisC
wd0ecK+KI0/bTdaIQv1WzW0K3VjvZzIxji34ZNp/ayKbE5mkUcGP6v4L5COSLICA
9lv2axPV0NiZniVRKw+Bvh7CTi2uZEaYW0eKeriGwZd4Jk6W8ve2eJiSxkahak9o
nqozjY7XG9MD+HgYfH9SKzXyqYWOEGzqvRyUIGp2A2/zwxaOWtHiJm2inrFY/JxY
DtoJQQ2AiVxtty5h5E+FyWlknVpOF81uCqCt0Izxe3A4n9wyCDSGHc6KF4MPZFan
SzY4aKEg1p6pSJLRPC3/ssaDR+1nC+Tz0d2OxcCk78C45gfB1E/zvfm99W+NbTT4
PPl5tar1+LYl2V6sfqAxalTI4Nrwc0TMMx5bqdqZZpdnQGQOryKcpuugqiP5m7HL
rI/l+iDO1p54Fl8lWnh+xxTWJb5aV5ADbsAuOXKNnyP08F3s+6LzhrByIjUAnhwc
UwnNThT3Hl+n7ucBYliujguXS/Yw5NOIp8J+RevHXPmUS4EKXNnHpCqb7YNr2X19
cnkd/lbVB8qyKBxXkvym6L36LeCXWZfnX0GRCScUyA42BYbyQhwB3OicMwGooEiZ
VfARdEFkdYM=
=XWYn
-----END PGP SIGNATURE-----