Moderate: RHV Engine and Host Common Packages security update

Topic

Updated dependency packages for ovirt-engine and ovirt-host that fix several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

The ovirt-ansible-hosted-engine-setup package provides an Ansible role for deploying Red Hat Virtualization Hosted-Engine.

Security Fix(es):

• python-paramiko: Race condition in the write_private_key_file function (CVE-2022-24302)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

A list of bugs fixed in this update is available in the Technical Notes book:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

• Red Hat Virtualization Manager 4.4 x86_64
• Red Hat Virtualization 4 for RHEL 8 x86_64
• Red Hat Virtualization for IBM Power LE 4 for RHEL 8 ppc64le
• Red Hat Enterprise Linux for x86_64 8 x86_64
• Red Hat Enterprise Linux for Power, little endian 8 ppc64le

Fixes

• BZ - 1883949 - ovirt_disk Ansible module uses the physical size of a qcow2 file instead of the virtual size
• BZ - 1932149 - Create hosted_storage with the correct storage_format based on the Data-Center level of the backup
• BZ - 1933555 - [RFE] Release python-ovirt-engine-sdk4 package on RHEL 9
• BZ - 1940824 - [RFE] Upgrade OVN/OVS 2.11 in RHV to OVN/OVS 2.15
• BZ - 2004018 - Modify ovirt_disk Ansible module to allow setting the bootable flag only if disk is attached to a virtual machine
• BZ - 2004852 - [RFE] include option to enable/disable virtio scsi support in ovirt_vm module
• BZ - 2006721 - uploading image using ovirt_disk always fails for the first time and works in second attempt
• BZ - 2017070 - Remove manageiq role from oVirt Ansible Collection
• BZ - 2020620 - Hosted engine setup fails on host with DISA STIG profile
• BZ - 2034313 - upgrade otopi to 1.10.0
• BZ - 2044362 - Upgrade ovirt-setup-lib to 1.3.3
• BZ - 2060763 - [RFE] Upgrade OVS 2.11 in RHV to OVS 2.15
• BZ - 2064795 - Build and distribute python38-passlib in RHV channels
• BZ - 2064798 - Build and distribute python38-pycurl in RHV channels
• BZ - 2064799 - Build and distribute python38-jmespath in RHV channels
• BZ - 2064801 - Build and distribute python38-netaddr in RHV channels
• BZ - 2065665 - CVE-2022-24302 python-paramiko: Race condition in the write_private_key_file function
• BZ - 2066811 - Hosted engine deployment fails when DISA STIG profile is selected for the engine VM
• BZ - 2071365 - [RFE] Require ansible-core-2.12 in ovirt-ansible-collection

CVEs

• CVE-2022-24302

References

• https://access.redhat.com/security/updates/classification/#moderate