Red Hat Enterprise Virtualization Manager provides access to virtual
machines using SPICE. These SPICE client packages provide the SPICE client
and usbclerk service for both Windows 32-bit operating systems and Windows
64-bit operating systems.
The rhevm-spice-client package includes the mingw-virt-viewer Windows SPICE
client. OpenSSL, a general purpose cryptography library with a TLS
implementation, is bundled with mingw-virt-viewer. The mingw-virt-viewer
package has been updated to correct the following issues:
An information disclosure flaw was found in the way OpenSSL handled TLS and
DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server
could send a specially crafted TLS or DTLS Heartbeat packet to disclose a
limited portion of memory per request from a connected client or server.
Note that the disclosed portions of memory could potentially include
sensitive information such as private keys. (CVE-2014-0160)
It was discovered that OpenSSL leaked timing information when decrypting
TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites
were used. A remote attacker could possibly use this flaw to retrieve plain
text from the encrypted packets by using a TLS/SSL or DTLS server as a
padding oracle. (CVE-2013-0169)
A NULL pointer dereference flaw was found in the way OpenSSL handled
TLS/SSL protocol handshake packets. A specially crafted handshake packet
could cause a TLS/SSL client using OpenSSL to crash. (CVE-2013-4353)
It was discovered that the TLS/SSL protocol could leak information about
plain text when optional compression was used. An attacker able to control
part of the plain text sent over an encrypted TLS/SSL connection could
possibly use this flaw to recover other portions of the plain text.
(CVE-2012-4929)
Red Hat would like to thank the OpenSSL project for reporting
CVE-2014-0160. Upstream acknowledges Neel Mehta of Google Security as the
original reporter.
The updated mingw-virt-viewer Windows SPICE client further includes OpenSSL
security fixes that have no security impact on mingw-virt-viewer itself.
The security fixes included in this update address the following CVE
numbers:
CVE-2013-6449, CVE-2013-6450, CVE-2012-2686, and CVE-2013-0166
All Red Hat Enterprise Virtualization Manager users are advised to upgrade
to these updated packages, which address these issues.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 6 | noarch | rhevm-spice-client-x86-msi | <Â 3.3-12.el6_5 | rhevm-spice-client-x86-msi-3.3-12.el6_5.noarch.rpm |
RedHat | 6 | noarch | rhevm-spice-client-x64-cab | <Â 3.3-12.el6_5 | rhevm-spice-client-x64-cab-3.3-12.el6_5.noarch.rpm |
RedHat | 6 | noarch | rhevm-spice-client-x86-cab | <Â 3.3-12.el6_5 | rhevm-spice-client-x86-cab-3.3-12.el6_5.noarch.rpm |
RedHat | 6 | noarch | rhevm-spice-client-x64-msi | <Â 3.3-12.el6_5 | rhevm-spice-client-x64-msi-3.3-12.el6_5.noarch.rpm |
RedHat | 6 | src | rhevm-spice-client | <Â 3.3-12.el6_5 | rhevm-spice-client-3.3-12.el6_5.src.rpm |