Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3920 RHV Engine and Host Common Packages security update [ovirt-4.4.9] 17 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: RHV Engine and Host Common Packages Publisher: Red Hat Operating System: Red Hat Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-3620 Reference: ESB-2021.3436 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:4703 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: RHV Engine and Host Common Packages security update [ovirt-4.4.9] Advisory ID: RHSA-2021:4703-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2021:4703 Issue date: 2021-11-16 CVE Names: CVE-2021-3620 ===================================================================== 1. Summary: Updated dependency packages for ovirt-engine and ovirt-host that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch, x86_64 Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - noarch, ppc64le, x86_64 Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8 - noarch 3. Description: The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning. The ovirt.ovirt package (previously ovirt-ansible-collection) manages all oVirt Ansible modules. The ovirt-ansible-hosted-engine-setup package provides an Ansible role for deploying Red Hat Virtualization Hosted-Engine. otopi is a standalone, plug-in based installation framework to be used to set up system components. The plug-in nature provides simplicity to add new installation functionality without the complexity of the state and transaction management. Security Fix(es): * Ansible: ansible-connection module discloses sensitive info in traceback error message (CVE-2021-3620) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * A playbook executed by Ansible Engine 2.9.25 inside a virtual machine running on Red Hat Virtualization 4.4.9 correctly detects that this is a virtual machine running on Red Hat Virtualization by using Ansible facts. (BZ#1904085) * Red Hat Virtualization now supports Ansible-2.9.27 for internal usage. (BZ#2003671) * Previously, upgrading from Red Hat Virtualization 4.3 failed when using an isolated network during IPv6 deployment. In this release, a forward network is used instead of an isolated network during an IPv6 deployment. As a result, upgrade from Red Hat Virtualization 4.3 using IPv6 now succeeds. (BZ#1947709) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/2974891 5. Bugs fixed (https://bugzilla.redhat.com/): 1947709 - [IPv6] HostedEngineLocal is an isolated libvirt network, breaking upgrades from 4.3 1975767 - CVE-2021-3620 Ansible: ansible-connection module discloses sensitive info in traceback error message 2003671 - Bump Ansible distributed within RHV channels to 2.9.27 2010670 - Upgrade otopi to 1.9.6 6. Package List: Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8: Source: ovirt-ansible-collection-1.6.5-1.el8ev.src.rpm noarch: ovirt-ansible-collection-1.6.5-1.el8ev.noarch.rpm Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts: Source: ansible-2.9.27-1.el8ae.src.rpm otopi-1.9.6-2.el8ev.src.rpm ovirt-ansible-collection-1.6.5-1.el8ev.src.rpm ovirt-imageio-2.3.0-1.el8ev.src.rpm noarch: ansible-2.9.27-1.el8ae.noarch.rpm otopi-common-1.9.6-2.el8ev.noarch.rpm otopi-debug-plugins-1.9.6-2.el8ev.noarch.rpm ovirt-ansible-collection-1.6.5-1.el8ev.noarch.rpm python3-otopi-1.9.6-2.el8ev.noarch.rpm ppc64le: ovirt-imageio-client-2.3.0-1.el8ev.ppc64le.rpm ovirt-imageio-common-2.3.0-1.el8ev.ppc64le.rpm ovirt-imageio-common-debuginfo-2.3.0-1.el8ev.ppc64le.rpm ovirt-imageio-daemon-2.3.0-1.el8ev.ppc64le.rpm ovirt-imageio-debugsource-2.3.0-1.el8ev.ppc64le.rpm x86_64: ovirt-imageio-client-2.3.0-1.el8ev.x86_64.rpm ovirt-imageio-common-2.3.0-1.el8ev.x86_64.rpm ovirt-imageio-common-debuginfo-2.3.0-1.el8ev.x86_64.rpm ovirt-imageio-daemon-2.3.0-1.el8ev.x86_64.rpm ovirt-imageio-debugsource-2.3.0-1.el8ev.x86_64.rpm RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4: Source: ansible-2.9.27-1.el8ae.src.rpm otopi-1.9.6-2.el8ev.src.rpm ovirt-ansible-collection-1.6.5-1.el8ev.src.rpm ovirt-imageio-2.3.0-1.el8ev.src.rpm noarch: ansible-2.9.27-1.el8ae.noarch.rpm otopi-common-1.9.6-2.el8ev.noarch.rpm otopi-debug-plugins-1.9.6-2.el8ev.noarch.rpm ovirt-ansible-collection-1.6.5-1.el8ev.noarch.rpm python3-otopi-1.9.6-2.el8ev.noarch.rpm x86_64: ovirt-imageio-client-2.3.0-1.el8ev.x86_64.rpm ovirt-imageio-common-2.3.0-1.el8ev.x86_64.rpm ovirt-imageio-common-debuginfo-2.3.0-1.el8ev.x86_64.rpm ovirt-imageio-daemon-2.3.0-1.el8ev.x86_64.rpm ovirt-imageio-debugsource-2.3.0-1.el8ev.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3620 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYZQXltzjgjWX9erEAQjvjw/6Ag0jbBYE+89ki14FkfjvY60Wy/wI2M5s gp5CiTEaW15tASirPRXVBv+i9Cwug9ara0IaaHEHRAoMmw61PlWdH39SjDVFyVHM poeSIR1YslISuabjsUGG8uVUsfiaKP4Xsg1QgtfOKn/g1DZVPgoyHby9VnIFcgRX /6mZQTOo+SW6/kuwUlx04/kjCxasX38iMJZlXVg82HwpPKPN7evukrlaE5haS+ja gronKHu9PW96N23u/VlssC4em8uoQ1gw0YSJzr38Ei2QOYbatdaYE3b6/yVX+UuN LEDNdwSbPTt458snmf+CtAqef7X6NWuWz+dsVEtiH1tqcBI/maqfvElRxKQZ3bIF qlnhWGJUDLpZODyBkS9zuZxe8mmxM89a2WuggD6PvCOO1zFJmvXc1Ad/Quh2Hhii Wp1bTDeSUl1bfIooPEoGVTPrNIsjgYpt3y4iqvoxzMF77wLmPs976TRLKF1a1vDo IMLJZtPx57WWopXubMyBvGwK3GyzQr4aSHGT2/HJTN/hwbEOBaIfcFXl4/fX3yX4 P++OEZN+cDmDIdRbKn1AXiv8IkvtTSS2dUJ3+elPkN05T+IR+u5K2VjbMPOuW4IJ DKYXHGtp2y785sDmxH2M5ug8QYzPBEFW7CC4QlWl9jSu/vWm3xBiHhUx/uaeS3qP clPd21+yCtc= =wKss - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYZRQUuNLKJtyKPYoAQiWXA/7BG657ot9xRrCR3p8TQEe0RS1uOUIxU7C X5EAUY3XOQCo62Ab/o8ggOZLN51hiR/CXLsNAUheLBOoADJdW3ucjTuzDRLxhQvV AaBz9Hgai2WNTDbpKrl/bqJY0lvoc5Gwg3bX7NYXuQsfyW3pgUoXsGvHCOzBioJl Y5FAUHa7SyEkjn8yBxmIESrq0pj+N2VGy7BesGuUkjvdqbzfwAKbKuUNx8JYVIhl ISFkqP6CsCF628WZEna38AfQ/7Kj6K+tXSxta0b5+1dF/Bp7L8oA1K1NRgRGymMC hVZumGo55cVIO7/FI6oGacQzAV/wBNFtw2UMa12UQMGHtYuvGnTvtwxB5fr0ZXIv GRf7M5IWpXAljjG4BYnaqBYcP9b/pyoEL5NVyIfu3g1OaVA8Tq0I2+Ae/9zozryc cOcFF7ADMwn3omhzw1GGSQT6/7vNAGXgnvJo9sHF11XvMZq1Qdbb2rhvvLkwqvot A/H29kPfRZuFmK8byNZs6oPCy/CkOX0PQ8XFcStHcnPruKgxPOXYZOZNm8qVHOWi 6PG8ts9karCwWQ3cEOqFnW6cpsCFS1uuVT1MffE6NLt0NmaH8ZNQgbz+H+4jSgbP j5nSoHHq4lAlEV37qho9VSxZ9pgONw5How2CoNbenfUC1B5ORaS6nwfOyi08WKYA tE5A8Fblji0= =Gb+j -----END PGP SIGNATURE-----