(RHSA-2022:4896) Important: Red Hat Virtualization security, bug fix, and enhancement update [ovirt-4.5.0]

The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host’s resources and performing administrative tasks.

Security Fix(es):

• kernel: use-after-free in RDMA listen() (CVE-2021-4028)

• kernel: fget: check that the fd still exists after getting a ref to it (CVE-2021-4083)

• kernel: heap out of bounds write in nf_dup_netdev.c (CVE-2022-25636)

• openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778)

• zlib: A flaw found in zlib when compressing (not decompressing) certain inputs (CVE-2018-25032)

• gzip: arbitrary-file-write vulnerability (CVE-2022-1271)

• rsyslog: Heap-based overflow in TCP syslog server (CVE-2022-24903)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fixes:

• elfutils package has been update within RHV-H Channel to match the same version released in RHEL (BZ#2038081)

• Rebase package(s) to version 1.2.24
  For highlights, important fixes, or notable enhancements: see bugs in “Depend On”. (BZ#2057338)

• Rebase package(s) to version: 4.5.0

Highlights, important fixes, or notable enhancements: (BZ#2057342)

• Rebase package(s) to version anaconda-33.16.6.6-1.el8
  For highlights and important bug fixes: include UI change for blocking installation if root password is not set. (BZ#1899821)

• Red hat Virtualization Host has been rebased on Red Hat Enterprise Linux 8.6 (BZ#1997074)

• Previously, concurrent executions of LV refresh (lvchange) failed. This hindered simultaneous starts of virtual machines that have thin-provisioned disks based on the same disk on a block storage domain.
  In this release, concurrent execution of LV refresh has been fixed in LVM2. (BZ#2020497)

• Red Hat Virtualization Host has been rebased on latest Ceph 4.3 (BZ#2090138)

• In previous releases systemtap package could have been installed on top of RHV-H from RHV-H channel. With 4.4 SP1 systemtap package installation is not supported anymore (BZ#2052963)