(RHSA-2019:2437) Important: Red Hat Virtualization security update

The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host’s resources and performing administrative tasks.

The following packages have been upgraded to a later upstream version: imgbased (1.1.9), ovirt-node-ng (4.3.5), redhat-release-virtualization-host (4.3.5), redhat-virtualization-host (4.3.5). (BZ#1669357, BZ#1669365, BZ#1684986, BZ#1711193, BZ#1717250, BZ#1726917)

Security Fix(es):

• python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)

• rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled (CVE-2018-16881)

• edk2: stack overflow in XHCI causing denial of service (CVE-2019-0161)

• openssl: 0-byte record padding oracle (CVE-2019-1559)

• cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment (CVE-2019-10139)

• sssd: improper implementation of GPOs due to too restrictive permissions (CVE-2018-16838)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.