(RHSA-2020:4676) Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update

Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems.

The following packages have been upgraded to a later upstream version: hivex (1.3.18), libguestfs (1.40.2), libguestfs-winsupport (8.2), libvirt (6.0.0), libvirt-dbus (1.3.0), libvirt-python (6.0.0), nbdkit (1.16.2), perl-Sys-Virt (6.0.0), qemu-kvm (4.2.0), seabios (1.13.0), SLOF (20191022). (BZ#1810193, BZ#1844296)

Security Fix(es):

• libvirt: leak of /dev/mapper/control into QEMU guests (CVE-2020-14339)

• QEMU: Slirp: use-after-free during packet reassembly (CVE-2019-15890)

• libvirt: Potential DoS by holding a monitor job while querying QEMU guest-agent (CVE-2019-20485)

• QEMU: slirp: use-after-free in ip_reass() function in ip_input.c (CVE-2020-1983)

• libvirt: Potential denial of service via active pool without target path (CVE-2020-10703)

• libvirt: leak of sensitive cookie information via dumpxml (CVE-2020-14301)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.