[ovirt-users] Are Ovirt updates nessessary after CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
Barak Korren
bkorren at redhat.com
Thu Jan 4 10:31:00 UTC 2018
On 4 January 2018 at 09:24, Marcel Hanke <marcel.hanke at 1und1.de> wrote:
> Hi,
> besides the kernel and microcode updates are there also updates of ovirt-
> engine and vdsm nessessary and if so, is there a timeline when the patches can
> be expected?
> If there are Patches nessessary will there also be updates for ovirt 4.1 or
> only 4.2?
Looking at the relevant Red Hat announcement:
https://access.redhat.com/security/vulnerabilities/speculativeexecution
It seems that no packages that are derived directly from oVirt were updated.
You can see qemu-kvm-rhev there, which is quemu-kvm-ev in CentOS -
that used to be distributed by oVirt, but these days its is shipped as
part of the CentOS VirtSIG repo.
AFAIK none of those components were released on CentOS yet, so if
you're running oVirt on CentOS you'll need to wait.
I suppose oVirt packages and install scripts will be updated over the
next few days to require the newer packages, but you do not need to
wait for those updates to patch your systems, you can probably patch
as soon as the updates are made available.
Once updates are available, a new node and engine-apppliance images
will probably also be built and released.
Please note that the above as mostly a rough estimate based on my
familiarity with the processes involved, I am not directly affiliated
with any of the teams handling the response to these CVEs.
--
Barak Korren
RHV DevOps team , RHCE, RHCi
Red Hat EMEA
redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted
More information about the Users
mailing list