Oval Definition:oval:com.redhat.rhsa:def:20181997
Revision Date:2018-06-26Version:643
Title:RHSA-2018:1997: libvirt security and bug fix update (Important)
Description:The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

Security Fix(es):

  • An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639)

    Note: This is the libvirt side of the CVE-2018-3639 mitigation that includes support for guests running on hosts with AMD processors.

    Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting this issue.

    Bug Fix(es):

  • Previously, the virtlogd service logged redundant AVC denial errors when a guest virtual machine was started. With this update, the virtlogd service no longer attempts to send shutdown inhibition calls to systemd, which prevents the described errors from occurring. (BZ#1573268)

  • Prior to this update, guest virtual machine actions that use a python library in some cases failed and "Hash operation not allowed during iteration" error messages were logged. Several redundant thread access checks have been removed, and the problem no longer occurs. (BZ#1581364)

  • The "virsh capabilities" command previously displayed an inaccurate number of 4 KiB memory pages on systems with very large amounts of memory. This update optimizes the memory diagnostic mechanism to ensure memory page numbers are displayed correctly on such systems. (BZ#1582418)
  • Family:unixClass:patch
    Status:Reference(s):CVE-2018-3639
    RHSA-2018:1997
    RHSA-2018:1997-00
    RHSA-2018:1997-01
    Platform(s):Red Hat Enterprise Linux 7
    Product(s):
    Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 7 is installed
  • AND
  • libvirt is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt is signed with Red Hat redhatrelease2 key
  • libvirt-admin is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-admin is signed with Red Hat redhatrelease2 key
  • libvirt-client is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-client is signed with Red Hat redhatrelease2 key
  • libvirt-daemon is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-config-network is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-config-network is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-config-nwfilter is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-config-nwfilter is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-driver-interface is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-driver-interface is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-driver-lxc is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-driver-lxc is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-driver-network is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-driver-network is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-driver-nodedev is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-driver-nodedev is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-driver-nwfilter is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-driver-nwfilter is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-driver-qemu is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-driver-qemu is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-driver-secret is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-driver-secret is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-driver-storage is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-driver-storage is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-driver-storage-core is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-driver-storage-core is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-driver-storage-disk is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-driver-storage-disk is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-driver-storage-gluster is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-driver-storage-gluster is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-driver-storage-iscsi is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-driver-storage-iscsi is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-driver-storage-logical is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-driver-storage-logical is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-driver-storage-mpath is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-driver-storage-mpath is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-driver-storage-rbd is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-driver-storage-rbd is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-driver-storage-scsi is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-driver-storage-scsi is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-kvm is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-kvm is signed with Red Hat redhatrelease2 key
  • libvirt-daemon-lxc is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-daemon-lxc is signed with Red Hat redhatrelease2 key
  • libvirt-devel is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-devel is signed with Red Hat redhatrelease2 key
  • libvirt-docs is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-docs is signed with Red Hat redhatrelease2 key
  • libvirt-libs is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-libs is signed with Red Hat redhatrelease2 key
  • libvirt-lock-sanlock is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-lock-sanlock is signed with Red Hat redhatrelease2 key
  • libvirt-login-shell is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-login-shell is signed with Red Hat redhatrelease2 key
  • libvirt-nss is earlier than 0:3.9.0-14.el7_5.6
  • AND libvirt-nss is signed with Red Hat redhatrelease2 key
  • BACK