[ovirt-users] Are Ovirt updates nessessary after CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

Sandro Bonazzola sbonazzo at redhat.com
Thu Jan 4 21:16:30 UTC 2018


2018-01-04 17:21 GMT+01:00 Yaniv Kaul <ykaul at redhat.com>:

>
>
> On Thu, Jan 4, 2018 at 12:31 PM, Barak Korren <bkorren at redhat.com> wrote:
>
>> On 4 January 2018 at 09:24, Marcel Hanke <marcel.hanke at 1und1.de> wrote:
>> > Hi,
>> > besides the kernel and microcode updates are there also updates of
>> ovirt-
>> > engine and vdsm nessessary and if so, is there a timeline when the
>> patches can
>> > be expected?
>> > If there are Patches nessessary will there also be updates for ovirt
>> 4.1 or
>> > only 4.2?
>>
>> Looking at the relevant Red Hat announcement:
>> https://access.redhat.com/security/vulnerabilities/speculativeexecution
>>
>> It seems that no packages that are derived directly from oVirt were
>> updated.
>> You can see qemu-kvm-rhev there, which is quemu-kvm-ev in CentOS -
>> that used to be distributed by oVirt, but these days its is shipped as
>> part of the CentOS VirtSIG repo.
>>
>> AFAIK none of those components were released on CentOS yet, so if
>> you're running oVirt on CentOS you'll need to wait.
>>
>
> CentOS kernel, microcode_ctl and linux-firmware have been released.
> See [1] for example. I'm sure others will follow.
> Y.
>
> [1] https://lists.centos.org/pipermail/centos-announce/
> 2018-January/022696.html
>
>

qemu-kvm-ev has also been tagged for release, will be in next batch or
earlier if I can find kbsing for manually push it.





>
>> I suppose oVirt packages and install scripts will be updated over the
>> next few days to require the newer packages, but you do not need to
>> wait for those updates to patch your systems, you can probably patch
>> as soon as the updates are made available.
>>
>> Once updates are available, a new node and engine-apppliance images
>> will probably also be built and released.
>>
>> Please note that the above as mostly a rough estimate based on my
>> familiarity with the processes involved, I am not directly affiliated
>> with any of the teams handling the response to these CVEs.
>>
>> --
>> Barak Korren
>> RHV DevOps team , RHCE, RHCi
>> Red Hat EMEA
>> redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>


-- 

SANDRO BONAZZOLA

ASSOCIATE MANAGER, SOFTWARE ENGINEERING, EMEA ENG VIRTUALIZATION R&D

Red Hat EMEA <https://www.redhat.com/>
<https://red.ht/sig>
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20180104/60ac5c6c/attachment.html>


More information about the Users mailing list