[ovirt-users] Are Ovirt updates nessessary after CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

Thu Jan 4 21:28:53 UTC 2018

> On 4 Jan 2018, at 22:16, Sandro Bonazzola <sbonazzo at redhat.com> wrote:
> 
> 
> 
> 2018-01-04 17:21 GMT+01:00 Yaniv Kaul <ykaul at redhat.com <mailto:ykaul at redhat.com>>:
> 
> 
> On Thu, Jan 4, 2018 at 12:31 PM, Barak Korren <bkorren at redhat.com <mailto:bkorren at redhat.com>> wrote:
> On 4 January 2018 at 09:24, Marcel Hanke <marcel.hanke at 1und1.de <mailto:marcel.hanke at 1und1.de>> wrote:
> > Hi,
> > besides the kernel and microcode updates are there also updates of ovirt-
> > engine and vdsm nessessary and if so, is there a timeline when the patches can
> > be expected?

yes there are
right after the base OS is completely covered

> > If there are Patches nessessary will there also be updates for ovirt 4.1 or
> > only 4.2?

4.1 will be covered

> 
> Looking at the relevant Red Hat announcement:
> https://access.redhat.com/security/vulnerabilities/speculativeexecution <https://access.redhat.com/security/vulnerabilities/speculativeexecution>
> 
> It seems that no packages that are derived directly from oVirt were updated.

they are, the page is updating as it progresses

> You can see qemu-kvm-rhev there, which is quemu-kvm-ev in CentOS -
> that used to be distributed by oVirt, but these days its is shipped as
> part of the CentOS VirtSIG repo.
> 
> AFAIK none of those components were released on CentOS yet, so if
> you're running oVirt on CentOS you'll need to wait.
> 
> CentOS kernel, microcode_ctl and linux-firmware have been released.
> See [1] for example. I'm sure others will follow.
> Y.
> 
> [1] https://lists.centos.org/pipermail/centos-announce/2018-January/022696.html <https://lists.centos.org/pipermail/centos-announce/2018-January/022696.html>
>  
> 
> qemu-kvm-ev has also been tagged for release, will be in next batch or earlier if I can find kbsing for manually push it.
> 
> 
> 
>  
> 
> I suppose oVirt packages and install scripts will be updated over the
> next few days to require the newer packages, but you do not need to
> wait for those updates to patch your systems, you can probably patch
> as soon as the updates are made available.

I suggest to start with the kernel
But please do read up on the various variants and mitigations. You may not necessarily need all of them
Also, you may lack the right firmware/microcode updates from your CPU vendor at the moment. Red Hat's microcode package only contains those which were released by Intel/AMD so far.

Thanks,
michal

> 
> Once updates are available, a new node and engine-apppliance images
> will probably also be built and released.
> 
> Please note that the above as mostly a rough estimate based on my
> familiarity with the processes involved, I am not directly affiliated
> with any of the teams handling the response to these CVEs.
> 
> --
> Barak Korren
> RHV DevOps team , RHCE, RHCi
> Red Hat EMEA
> redhat.com <http://redhat.com/> | TRIED. TESTED. TRUSTED. | redhat.com/trusted <http://redhat.com/trusted>
> _______________________________________________
> Users mailing list
> Users at ovirt.org <mailto:Users at ovirt.org>
> http://lists.ovirt.org/mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
> 
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org <mailto:Users at ovirt.org>
> http://lists.ovirt.org/mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
> 
> 
> 
> 
> -- 
> SANDRO BONAZZOLA
> ASSOCIATE MANAGER, SOFTWARE ENGINEERING, EMEA ENG VIRTUALIZATION R&D
> Red Hat EMEA <https://www.redhat.com/>
>  <https://red.ht/sig>	
> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20180104/6835ac41/attachment.html>