Endpoint Vulnerability

RHSA-2020:4676: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update (Moderate)

Description

Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. The following packages have been upgraded to a later upstream version: hivex (1.3.18), libguestfs (1.40.2), libguestfs-winsupport (8.2), libvirt (6.0.0), libvirt-dbus (1.3.0), libvirt-python (6.0.0), nbdkit (1.16.2), perl-Sys-Virt (6.0.0), qemu-kvm (4.2.0), seabios (1.13.0), SLOF (20191022). (BZ#1810193, BZ#1844296) Security Fix(es): * libvirt: leak of /dev/mapper/control into QEMU guests (CVE-2020-14339) * QEMU: Slirp: use-after-free during packet reassembly (CVE-2019-15890) * libvirt: Potential DoS by holding a monitor job while querying QEMU guest-agent (CVE-2019-20485) * QEMU: slirp: use-after-free in ip_reass() function in ip_input.c (CVE-2020-1983) * libvirt: Potential denial of service via active pool without target path (CVE-2020-10703) * libvirt: leak of sensitive cookie information via dumpxml (CVE-2020-14301) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.

Affected Products

RFE