3:35 a.m.
2018-05-23 16:57 GMT+02:00 Sandro Bonazzola <sbonazzo(a)redhat.com>:
As you may have already heard, an industry-wide issue was found in
the way
many modern microprocessor designs have implemented speculative execution
of Load & Store instructions.
This issue is well described by CVE-2018-3639 announce available at
https://access.redhat.com/security/cve/cve-2018-3639.
oVirt team has released right now an update of ovirt-engine to version
4.2.3.7 which add support for SSBD CPUs in order to mitigate the security
issue.
If you are running oVirt on Red Hat Enterprise Linux, please apply updates
described in https://access.redhat.com/security/cve/cve-2018-3639.
If you are running oVirt on CentOS Linux please apply updated described by:
CESA-2018:1629 Important CentOS 7 kernel Security Update
<https://lists.centos.org/pipermail/centos-announce/2018-May/022843.html>
CESA-2018:1632 Important CentOS 7 libvirt Security Update
<https://lists.centos.org/pipermail/centos-announce/2018-May/022840.html>
CESA-2018:1649 Important CentOS 7 java-1.8.0-openjdk Security Update
<https://lists.centos.org/pipermail/centos-announce/2018-May/022839.html>
CESA-2018:1648 Important CentOS 7 java-1.7.0-openjdk Security Update
<https://lists.centos.org/pipermail/centos-announce/2018-May/022838.html>
An update for qemu-kvm-ev has been also tagged for release and announced
with
CESA-2018:1655 Important: qemu-kvm-ev security update
<https://lists.centos.org/pipermail/centos-virt/2018-May/005804.html>
but due to some issues in CentOS release process for Virt SIG content, it
is not yet available on mirrors.
We are working with CentOS community to get the packages signed and
published as soon as possible.
In the meanwhile you can still get the update package by enabling the test
repository https://buildlogs.centos.org/centos/7/virt/x86_64/kvm-common/
on your systems or manually installing the package from the repository.
If you're running oVirt on a different Linux distribution, please check
with your vendor for available updates.
Please note that to fully mitigate this vulnerability, system
administrators must apply both hardware “microcode” updates and software
patches that enable new functionality.
At this time, microprocessor microcode will be delivered by the individual
manufacturers.
Update: oVirt Node 4.2.3 image RPM has been refreshed, rebased on CentOS
7.5 with above mentioned CVE fixes.
An updated ISO has also been composed for new host installation.
Reference tracking bug: *Bug 1578909*
<https://bugzilla.redhat.com/show_bug.cgi?id=1578909> - oVirt Node 4.2.3
respin needed including CVE fixes
Thanks.
The oVirt team recommends end users and systems administrator to
apply any
available updates as soon as practical.
Thanks,
--
SANDRO BONAZZOLA
ASSOCIATE MANAGER, SOFTWARE ENGINEERING, EMEA ENG VIRTUALIZATION R&D
Red Hat EMEA <https://www.redhat.com/>
sbonazzo(a)redhat.com
<https://red.ht/sig>
<https://redhat.com/summit>
--
SANDRO BONAZZOLA
ASSOCIATE MANAGER, SOFTWARE ENGINEERING, EMEA ENG VIRTUALIZATION R&D
Red Hat EMEA <https://www.redhat.com/>
sbonazzo(a)redhat.com
<https://red.ht/sig>
<https://redhat.com/summit>