exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2020-4201-01

Red Hat Security Advisory 2020-4201-01
Posted Oct 7, 2020
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2020-4201-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Issues addressed include a denial of service vulnerability.

tags | advisory, denial of service
systems | linux, redhat
advisories | CVE-2019-11756, CVE-2019-17006, CVE-2019-17023, CVE-2020-12402, CVE-2020-12825, CVE-2020-14352, CVE-2020-14365, CVE-2020-15586, CVE-2020-16845
SHA-256 | 3d8b1c7224e8a2deee960b7668ead051da2664d66a79b155eb862d4b51810393

Red Hat Security Advisory 2020-4201-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Low: OpenShift Virtualization 2.4.2 Images
Advisory ID: RHSA-2020:4201-01
Product: Container-native Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2020:4201
Issue date: 2020-10-06
CVE Names: CVE-2019-11756 CVE-2019-17006 CVE-2019-17023
CVE-2020-12402 CVE-2020-12825 CVE-2020-14352
CVE-2020-14365 CVE-2020-15586 CVE-2020-16845
====================================================================
1. Summary:

Red Hat OpenShift Virtualization release 2.4.2 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.

Security Fix(es):

* golang: data race in certain net/http servers including ReverseProxy can
lead to DoS (CVE-2020-15586)

* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes
from invalid inputs (CVE-2020-16845)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Container-native Virtualization 2.4.2 Images (BZ#1877407)

This advisory contains the following OpenShift Virtualization 2.4.2 images:

RHEL-7-CNV-2.4
=============kubevirt-ssp-operator-container-v2.4.2-2

RHEL-8-CNV-2.4
=============virt-cdi-controller-container-v2.4.2-1
virt-cdi-apiserver-container-v2.4.2-1
hostpath-provisioner-operator-container-v2.4.2-1
virt-cdi-uploadproxy-container-v2.4.2-1
virt-cdi-cloner-container-v2.4.2-1
virt-cdi-importer-container-v2.4.2-1
kubevirt-template-validator-container-v2.4.2-1
hostpath-provisioner-container-v2.4.2-1
virt-cdi-uploadserver-container-v2.4.2-1
virt-cdi-operator-container-v2.4.2-1
virt-controller-container-v2.4.2-1
kubevirt-cpu-model-nfd-plugin-container-v2.4.2-1
virt-api-container-v2.4.2-1
ovs-cni-marker-container-v2.4.2-1
kubevirt-cpu-node-labeller-container-v2.4.2-1
bridge-marker-container-v2.4.2-1
kubevirt-metrics-collector-container-v2.4.2-1
kubemacpool-container-v2.4.2-1
cluster-network-addons-operator-container-v2.4.2-1
ovs-cni-plugin-container-v2.4.2-1
kubernetes-nmstate-handler-container-v2.4.2-1
cnv-containernetworking-plugins-container-v2.4.2-1
virtio-win-container-v2.4.2-1
virt-handler-container-v2.4.2-1
virt-launcher-container-v2.4.2-1
cnv-must-gather-container-v2.4.2-1
virt-operator-container-v2.4.2-1
vm-import-controller-container-v2.4.2-1
hyperconverged-cluster-operator-container-v2.4.2-1
vm-import-operator-container-v2.4.2-1
kubevirt-vmware-container-v2.4.2-1
kubevirt-v2v-conversion-container-v2.4.2-1
kubevirt-kvm-info-nfd-plugin-container-v2.4.2-1
node-maintenance-operator-container-v2.4.2-1
hco-bundle-registry-container-v2.4.2-15

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1856953 - CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
1867099 - CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
1869194 - HCO CR display name should contain "OpenShift Virtualization" instead of CNV
1869734 - OpenShift Virtualization does not appear in OperatorHub when filtering to "Disconnected"
1875383 - terminationGracePeriodSeconds should be updated in VMs created from common templates
1877407 - Container-native Virtualization 2.4.2 Images

5. References:

https://access.redhat.com/security/cve/CVE-2019-11756
https://access.redhat.com/security/cve/CVE-2019-17006
https://access.redhat.com/security/cve/CVE-2019-17023
https://access.redhat.com/security/cve/CVE-2020-12402
https://access.redhat.com/security/cve/CVE-2020-12825
https://access.redhat.com/security/cve/CVE-2020-14352
https://access.redhat.com/security/cve/CVE-2020-14365
https://access.redhat.com/security/cve/CVE-2020-15586
https://access.redhat.com/security/cve/CVE-2020-16845
https://access.redhat.com/security/updates/classification/#low

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX30EmtzjgjWX9erEAQgnhg/+Kw8PF1VdWqLhdnth6BBrjcI0qoGVd671
KqomXg22a9lJ+oFUqV8AV7FssyqRe5XDufdREbO7Q5QFJnLZh9sbvpJvmINA4/En
FX3caimjz5YQsTVJfDme/aHv8dfyqkjhd5hVRVHDjdZ/xagXqTB7qkA7H9IaHsMd
dLc4QHFIRCw3i+AUo6OLhnxIwkkDToTM6saoSscK5ePnze8t+dA2E2yk7n2NcB6n
djRONbWQ9am8/plK8QfeNHxpq6Yv9dXQMc8OqRPDN5Tytz4JSfW3isqhWSSzj7dd
D0nT6kpeeOD7a9tXkI1/J4e9UHY22oKaCBtgtzruba86yI5Imuq10tsn4Cmvn0hj
Frj7CwIy88vEq0WXUWY0P99a//pCJE5YozzJZWnqdEUb7xxyGWBtVzEGAcdIOT3o
BN5g5AYMjDXpShDDw24U2DCbCt0f9snZDqIXurL5PkcQyGq0CPjHjglhy5JrKes+
VY3LJa/bkT38RRXk/TzKrlPjxoJNXjhGqU8YdrTe4DGTTiCfE+CGQ5f5RObFt1Pp
UtbGikSRlso8P3Fu93unPgnqd1S8p3nVoYtAcUrMa+2CzjxpIN2OV/zmfl49tytf
q2sG6oiDTYtEMpGKiy5UQRLD9njJxNBHH+HD85SeSNfBwbnJeebfw9nLd7HJj3Ld
yrKxjSoHgxw=LVFp
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close