RHSA-2013:1181: Moderate: rhev-hypervisor6 security and bug fix update

First published: Tue Aug 27 2013(Updated: )

The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization<br>Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor<br>is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes<br>everything necessary to run and manage virtual machines: A subset of the<br>Red Hat Enterprise Linux operating environment and the Red Hat Enterprise<br>Virtualization Agent.<br>Note: Red Hat Enterprise Virtualization Hypervisor is only available for<br>the Intel 64 and AMD64 architectures with virtualization extensions.<br>Upgrade Note: If you upgrade the Red Hat Enterprise Virtualization<br>Hypervisor through the 3.2 Manager administration portal, the Host may<br>appear with the status of "Install Failed". If this happens, place the host<br>into maintenance mode, then activate it again to get the host back to an<br>"Up" state.<br>It was discovered that NSS leaked timing information when decrypting<br>TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites<br>were used. A remote attacker could possibly use this flaw to retrieve plain<br>text from the encrypted packets by using a TLS/SSL or DTLS server as a<br>padding oracle. (CVE-2013-1620)<br>It was found that the fix for CVE-2013-0167 released via RHSA-2013:0907<br>was incomplete. A privileged guest user could potentially use this flaw to<br>make the host the guest is running on unavailable to the management<br>server. (CVE-2013-4236)<br>An out-of-bounds memory read flaw was found in the way NSS decoded certain<br>certificates. If an application using NSS decoded a malformed certificate,<br>it could cause the application to crash. (CVE-2013-0791)<br>Red Hat would like to thank the Mozilla project for reporting<br>CVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter<br>of CVE-2013-0791. The CVE-2013-4236 issue was found by David Gibson of Red<br>Hat.<br>This updated package provides updated components that include fixes for<br>various security issues. These issues have no security impact on Red Hat<br>Enterprise Virtualization Hypervisor itself, however. The security fixes<br>included in this update address the following CVE numbers:<br>CVE-2013-4854 (bind issue)<br>CVE-2012-6544, CVE-2013-2146, CVE-2013-2206, CVE-2013-2224, CVE-2013-2232,<br>and CVE-2013-2237 (kernel issues)<br>This update also contains the fixes from the following errata:<br><li> vdsm: RHSA-2013:1155 and RHBA-2013:1158</li> Users of the Red Hat Enterprise Virtualization Hypervisor are advised to<br>upgrade to this updated package, which corrects these issues.<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• collector/redhat-errata
• anchor-id/RHSA-2013:1181
• package-manager/redhat