Lucene search

K
osvGoogleOSV:ALSA-2020:4676
HistoryNov 03, 2020 - 12:26 p.m.

Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update

2020-11-0312:26:07
Google
osv.dev
10
kvm rhel virtualization
security update
api management
libvirt
cve-2020-14339
cve-2019-15890
cve-2019-20485
cve-2020-1983
cve-2020-10703
cve-2020-14301
almalinux release notes

AI Score

8.9

Confidence

High

EPSS

0.015

Percentile

87.0%

Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems.

The following packages have been upgraded to a later upstream version: hivex (1.3.18), libguestfs (1.40.2), libguestfs-winsupport (8.2), libvirt (6.0.0), libvirt-dbus (1.3.0), libvirt-python (6.0.0), nbdkit (1.16.2), perl-Sys-Virt (6.0.0), qemu-kvm (4.2.0), seabios (1.13.0), SLOF (20191022). (BZ#1810193, BZ#1844296)

Security Fix(es):

  • libvirt: leak of /dev/mapper/control into QEMU guests (CVE-2020-14339)

  • QEMU: Slirp: use-after-free during packet reassembly (CVE-2019-15890)

  • libvirt: Potential DoS by holding a monitor job while querying QEMU guest-agent (CVE-2019-20485)

  • QEMU: slirp: use-after-free in ip_reass() function in ip_input.c (CVE-2020-1983)

  • libvirt: Potential denial of service via active pool without target path (CVE-2020-10703)

  • libvirt: leak of sensitive cookie information via dumpxml (CVE-2020-14301)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.