AlmaLinuxALSA-2021:1791Moderate: spice-vdagent security and bug fix update
6.4 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
5.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:P/I:N/A:C
0.001 Low
EPSS
Percentile
22.2%
The spice-vdagent packages provide a SPICE agent for Linux guests.
Security Fix(es):
-
spice-vdagent: possible file transfer DoS and information leak via active_xfers hash map (CVE-2020-25651)
-
spice-vdagent: UNIX domain socket peer PID retrieved via SO_PEERCRED is subject to race condition (CVE-2020-25653)
-
spice-vdagent: memory DoS via arbitrary entries in active_xfers hash table (CVE-2020-25650)
-
spice-vdagent: possibility to exhaust file descriptors in vdagentd (CVE-2020-25652)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| almalinux | 8 | x86_64 | spice-vdagent | < 0.20.0-3.el8 | spice-vdagent-0.20.0-3.el8.x86_64.rpm |
Related
6.4 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
5.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:P/I:N/A:C
0.001 Low
EPSS
Percentile
22.2%