-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Low: virt-v2v security, bug fix, and enhancement update Advisory ID: RHSA-2022:7968-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:7968 Issue date: 2022-11-15 CVE Names: CVE-2022-2211 ==================================================================== 1. Summary: An update for virt-v2v is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - noarch Red Hat Enterprise Linux AppStream (v. 9) - noarch, x86_64 3. Description: The virt-v2v package provides a tool for converting virtual machines to use the KVM (Kernel-based Virtual Machine) hypervisor or Red Hat Enterprise Virtualization. The tool modifies both the virtual machine image and its associated libvirt metadata. Also, virt-v2v can configure a guest to use VirtIO drivers if possible. Security Fix(es): * libguestfs: Buffer overflow in get_keys leads to DoS (CVE-2022-2211) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1684075 - Virt-v2v can't convert a guest from VMware via nbdkit-vddk if original guest disk address is irregular 1774386 - input_vmx: cleanly reject guests with snapshots when using "-it ssh" 1788823 - Virt-v2v firstboot scripts should run in order, with v2v network configuration happening first 1817050 - Can't convert guest from VMware with non-admin account and vddk >=7.0 by virt-v2v 1848862 - There is nbdkit curl error info if convert a guest from VMware without vddk by administrator account 1854275 - document that vmx+ssh "-ip" auth doesn't cover ssh / scp shell commands 1868048 - [RFE]virt-v2v should install qemu-ga on debian guest during the conversion 1883802 - -i vmx: SATA disks are not parsed 1985830 - Start or remove VM failure even v2v has already finished 2003503 - There is virt-v2v warning: fstrim on guest filesystem /dev/mapper/osprober-linux-sdb1 failed if non-os disk of source guest has few/no inodes lef 2028764 - Install the qemu-guest-agent package during the conversion process 2039597 - Failed to import VM when selecting OVA as a source on RHV webadmin 2047660 - Add '--compressed' support in modular v2v 2051564 - [RFE]Limiting the maximum number of disks per guest for v2v conversions 2059287 - RFE: Rebase virt-v2v to 2.0 in RHEL 9.1 2062360 - RFE: Virt-v2v should replace hairy "enable LEGACY crypto" advice which a more targeted mechanism 2064178 - nothing provides openssh-clients >= 8.8p1 needed by virt-v2v-1:2.0.0-1.el9.x86_64 2066773 - The /tmp/v2v.XXXX directory has incorrect permisison if run v2v by root 2069768 - Import of OVA fails if the user/group name contains spaces 2070186 - fix virtio-vsock check (for Linux guests) in virt-v2v 2070530 - Virt-v2v can't convert guest when os is installed on nvme disk via vmx+ssh 2074026 - Remove -o json option 2074801 - do not pass "--non-bootable --read-write" to "volume create " in openstack output module 2074805 - -o qemu mode fails with: qemu-system-x86_64: -balloon: invalid option and other problems 2076013 - RHEL9.1 guest can't boot into OS after v2v conversion 2082603 - virt-v2v -o qemu prints cosmetic warning: "warning: short-form boolean option 'readonly' deprecated" 2094779 - missing python dependency in rhel9.1 2100862 - CVE-2022-2211 libguestfs: Buffer overflow in get_keys leads to DoS 2101665 - "/dev/nvme0n1" is not remapped to "/dev/vda" (etc) in boot config files such as "/boot/grub2/device.map" 2107503 - RHEL 8.6 VM with "qemu64" CPU model can't start because "the CPU is incompatible with host CPU: Host CPU does not provide required features: svm" 2112801 - RHEL9 guest hangs during boot after conversion by virt-p2v 2116811 - virt-v2v: error: internal error: assertion failed at linux_kernels.ml, line 190, char 11 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: virt-v2v-2.0.7-6.el9.src.rpm noarch: virt-v2v-bash-completion-2.0.7-6.el9.noarch.rpm x86_64: virt-v2v-2.0.7-6.el9.x86_64.rpm virt-v2v-debuginfo-2.0.7-6.el9.x86_64.rpm virt-v2v-debugsource-2.0.7-6.el9.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): noarch: virt-v2v-man-pages-ja-2.0.7-6.el9.noarch.rpm virt-v2v-man-pages-uk-2.0.7-6.el9.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-2211 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhQNzjgjWX9erEAQj9AA/+LVRs5e5xUbvrRYoUnsKZPXZ0fWjz3Dsd D1P1qBp+IVgJIZNZpVgbuIk5c9C6mNzEFMd/1at0Tput1qu5b4VIUFz1KHvFPYIL xj+p+mAm5qIA5MKFkCcA7Rw8RdPeeXQojUFoKQU2p6nSUfptMwP7vbWjgRoJJlJ/ TTom+MIktIBhZXoNj9ZnOMMev+8kNbSxItWNrog7rGJLEsOrntRlAr9bcKcrmxV0 fYQ+GpoYsZUBFtN1eIt6695v3lyly0W4myFsjFS4sKr0y4RG8oqY2oyEqMw3qcmd UlciYz/QuKQqsY1ufc5JajhM0VHHXdv2RVxtJYn2cY4QI7aDeBsbl0wKG2Xs1+7v 19LmBNnikGzQHude/wNXdNkhTdJsvQkv+5ARvSmjkmywACuIbuyudJymG9S4Xzji gZRzSrfcdh2VqUBUVT4pjjKvFAUqa9BIFSm0iwMlDuuHZj9EhvB7ZydaUjOqfZfp tHZHGOl/sRtuojGVm56bXqp5u1ib+8VMVq8KCZGwD2dsMygeu3XnXOkvx/458FOY SpJG+z6GsV0jP193IK9B++54LSL6ZQLQ4yAvDUhxvCtm8nhGtsRGD6HXPOYdpdXM L1snWm51iEHrNavCuNf8Fh6Z1ewmWbZW+4RDWeo2rIn6HmSCj4iMW4twha+sqDDX uPMe6qqj+P4=3mD0 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce