-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Virtualization 2.5.3 security and bug fix update Advisory ID: RHSA-2021:0187-01 Product: Container-native Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2021:0187 Issue date: 2021-01-19 Keywords: cnv,kubevirt,virtualization CVE Names: CVE-2020-1971 CVE-2020-8177 CVE-2020-12321 CVE-2020-16166 CVE-2020-27813 ==================================================================== 1. Summary: Red Hat OpenShift Virtualization release 2.5.3 is now available with updates to packages and images that fix several bugs and security issues. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 2.5.3 images: RHEL-7-CNV-2.5 =============kubevirt-ssp-operator-container-v2.5.3-2 RHEL-8-CNV-2.5 =============virtio-win-container-v2.5.3-4 hostpath-provisioner-container-v2.5.3-3 kubevirt-kvm-info-nfd-plugin-container-v2.5.3-2 kubevirt-template-validator-container-v2.5.3-4 kubevirt-cpu-model-nfd-plugin-container-v2.5.3-1 kubevirt-metrics-collector-container-v2.5.3-3 cnv-containernetworking-plugins-container-v2.5.3-2 kubemacpool-container-v2.5.3-2 hostpath-provisioner-operator-container-v2.5.3-3 kubevirt-cpu-node-labeller-container-v2.5.3-3 node-maintenance-operator-container-v2.5.3-2 ovs-cni-marker-container-v2.5.3-2 kubernetes-nmstate-handler-container-v2.5.3-2 cluster-network-addons-operator-container-v2.5.3-3 ovs-cni-plugin-container-v2.5.3-2 bridge-marker-container-v2.5.3-2 kubevirt-v2v-conversion-container-v2.5.3-2 hyperconverged-cluster-operator-container-v2.5.3-3 kubevirt-vmware-container-v2.5.3-2 cnv-must-gather-container-v2.5.3-2 virt-api-container-v2.5.3-2 virt-handler-container-v2.5.3-2 virt-controller-container-v2.5.3-2 virt-launcher-container-v2.5.3-2 virt-operator-container-v2.5.3-2 virt-cdi-cloner-container-v2.5.3-4 virt-cdi-importer-container-v2.5.3-4 virt-cdi-controller-container-v2.5.3-4 virt-cdi-apiserver-container-v2.5.3-4 virt-cdi-operator-container-v2.5.3-4 virt-cdi-uploadserver-container-v2.5.3-4 virt-cdi-uploadproxy-container-v2.5.3-4 vm-import-operator-container-v2.5.3-4 vm-import-controller-container-v2.5.3-4 vm-import-virtv2v-container-v2.5.3-4 hco-bundle-registry-container-v2.5.3-80 Security Fix(es): * golang-github-gorilla-websocket: integer overflow leads to denial of service (CVE-2020-27813) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Container-native Virtualization 2.5.3 Images (BZ#1902961) 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service 1902961 - Container-native Virtualization 2.5.3 Images 5. References: https://access.redhat.com/security/cve/CVE-2020-1971 https://access.redhat.com/security/cve/CVE-2020-8177 https://access.redhat.com/security/cve/CVE-2020-12321 https://access.redhat.com/security/cve/CVE-2020-16166 https://access.redhat.com/security/cve/CVE-2020-27813 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYAbectzjgjWX9erEAQhpkA//ahafTxC/QVF8rcNQHlETxPJ19H/J1Oq0 h3YFUHesX/HXsKSzPWJnQTYXHy+XvlRJsRW7UJXyI4sCCL3+KTS6byuJDw4IdhXM 6XWi6GvTFGkyXBF+2FyIiaDRU+xYA9+RtvEzsxeZJhDuqxFT5BTnh/kYeXFMt7db IF/LrKGH4trUFADOmtR/mDoRIiKSszSHZvogmi77aILt80N1y36PgPIW1fhp4Vch a9G25PUwpo0GbV2MU1vUANLxY/Xl8pDwkxdiH1C3OL1xN9jXjpYPpDYGusp4cnJW Ltu0tbscqQ0DLuXuY2mijVoFw87n6z33nwvFQ1y/50IS0VxJ9xxOGwLU9MGuJJSU czEDF9B1A/YHuVvYZzA63yXPRm0gzPs4MsLNw+CVE7vT8k+DYk1+EYlrf6MeQXku 9sFT369P8BYewrby5ALz7f2Iad7XvM8ghw80ipkSOBMyfKVWICPBi3hK5arbJ4tv /Mxq0we6yOXniAm1JJGHmoSXGs6GrWcKHuRx7OhS9cQcoya3xsoV/GK6/qVaq/x6 sNEbQifbrmsHyQl4f2GNmeSJSVObjRdlTzh1CYUX0u7/fi3iGCJ0coaWEYWFVVnY xPAse2XYP3DwfWbfbYn+kTSo+FUlgr2DMX9UCl06Z0nO45cMAMhglEMRursbK4qM 5nTdjA8IcLg=ZWkh -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce