-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: rhev-hypervisor security update Advisory ID: RHSA-2016:0277-01 Product: Red Hat Enterprise Virtualization Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0277.html Issue date: 2016-02-19 CVE Names: CVE-2015-7547 ===================================================================== 1. Summary: Updated rhev-hypervisor packages that fix one security issue are now available. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL 7-based RHEV-H - noarch RHEV Hypervisor for RHEL-6 - noarch 3. Description: The rhev-hypervisor package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module. (CVE-2015-7547) This issue was discovered by the Google Security Team and Red Hat. Users of Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to these updated packages. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1293532 - CVE-2015-7547 glibc: getaddrinfo stack-based buffer overflow 6. Package List: RHEV Hypervisor for RHEL-6: Source: rhev-hypervisor7-7.2-20160105.2.el6ev.src.rpm noarch: rhev-hypervisor6-6.7-20160104.2.el6ev.noarch.rpm rhev-hypervisor7-7.2-20160105.2.el6ev.noarch.rpm RHEL 7-based RHEV-H: Source: rhev-hypervisor7-7.2-20160105.2.el7ev.src.rpm noarch: rhev-hypervisor7-7.2-20160105.2.el7ev.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-7547 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/articles/2161461 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWx5XnXlSAg2UNWIIRAtcMAJ4mh1Xh5yXXuzbu8XF1KwhpAO23JgCgkwFs +i/A4QfMj6I959bloDKYm7s= =J31G -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce