安全公告详情

NS-SA-2019-0176

2019-08-29 16:18:52

简介

moderate: qemu-kvm/openssl security update

严重级别

moderate

主题

An update for qemu-kvm/openssl is now available for NewStart CGSL MAIN 4.06.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

qemu-kvm: This package provides a qemu guest agent daemon to be running inside of linux guests to provide the guest information.
openssl: The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols.


Security Fix(es):
qemu-kvm: tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.(CVE-2019-9824)
qemu-kvm: bugfix
openssl: If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).(CVE-2019-1559)
openssl: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 4.06.F3.

影响组件

  • qemu-kvm
  • openssl

影响产品

  • CGSL MAIN 4.06

更新包

{"fix":[{"product":"CGSL MAIN 4.06","pkgs":[{"binary":["qemu-guest-agent-0.12.1.2-2.506.el6_10.4.x86_64.rpm","qemu-img-0.12.1.2-2.506.el6_10.4.x86_64.rpm","qemu-kvm-0.12.1.2-2.506.el6_10.4.x86_64.rpm","qemu-kvm-debuginfo-0.12.1.2-2.506.el6_10.4.x86_64.rpm","qemu-kvm-tools-0.12.1.2-2.506.el6_10.4.x86_64.rpm"],"source":"qemu-kvm-0.12.1.2-2.506.el6_10.4.src.rpm"},{"binary":["openssl-1.0.1e-58.el6_10.x86_64.rpm","openssl-debuginfo-1.0.1e-58.el6_10.x86_64.rpm","openssl-devel-1.0.1e-58.el6_10.x86_64.rpm","openssl-perl-1.0.1e-58.el6_10.x86_64.rpm","openssl-static-1.0.1e-58.el6_10.x86_64.rpm"],"source":"openssl-1.0.1e-58.el6_10.src.rpm"}]}]}

CVE

参考