oVirt Node 4.2.3 has been released before CentOS 7.5. With CentOS 7.5 release (https://lists.centos.org/pipermail/centos-announce/2018-May/022829.html) several CVEs have been fixed, including the last disclosed one: CESA-2018:1453 Critical CentOS 7 dhcp Security Update (https://lists.centos.org/pipermail/centos-announce/2018-May/022831.html) We should respin oVirt Node and ship it as an async update to 4.2.3.
There are 45 packages being built right now including first batch update of RHEL 7.5. Worth to wait for them as well.
Still waiting for CentOS builds to finish.
Any chance the new version will include fix for this? https://bugzilla.redhat.com/show_bug.cgi?id=1496517
(In reply to Rob Sanders from comment #3) > Any chance the new version will include fix for this? > > https://bugzilla.redhat.com/show_bug.cgi?id=1496517 Yes, should include that fix too, being the fixing libvirt package already in CentOS 7.5.
Awesome thanks!
qemu-kvm-ev with latest CVE fixes finally landed on mirror.centos.org. Build is in progress: https://jenkins.ovirt.org/job/ovirt-node-ng_ovirt-4.2_build-artifacts-el7-x86_64/282/
(In reply to Sandro Bonazzola from comment #6) > qemu-kvm-ev with latest CVE fixes finally landed on mirror.centos.org. > Build is in progress: > https://jenkins.ovirt.org/job/ovirt-node-ng_ovirt-4.2_build-artifacts-el7- > x86_64/282/ Correction, the job is https://jenkins.ovirt.org/job/ovirt-node-ng_ovirt-4.2_build-artifacts-el7-x86_64/283/ RPM for updating existing installations pushed to release server, pending an ISO
ISO building here: https://jenkins.ovirt.org/job/ovirt-node-ng_ovirt-4.2_build-artifacts-el7-x86_64/284/
Test version: ovirt-node-ng-installer-ovirt-4.2-2018052421.iso imgbased-1.0.15-1.el7.centos.noarch kernel-3.10.0-862.3.2.el7.x86_64 libvirt-client-3.9.0-14.el7_5.5.x86_64 libvirt-daemon-3.9.0-14.el7_5.5.x86_64 qemu-kvm-ev-2.10.0-21.el7_5.3.1.x86_64 Test result: oVirt Node 4.2.3 include correct kernel and libvirt CVE version. @Sandor, For qemu-kvm-ev package, is this expect CVE fix version? # rpm -qa| grep qemu-kvm qemu-kvm-ev-2.10.0-21.el7_5.3.1.x86_64 qemu-kvm-common-ev-2.10.0-21.el7_5.3.1.x86_64 Thanks.
(In reply to cshao from comment #9) > @Sandor, > For qemu-kvm-ev package, is this expect CVE fix version? > > # rpm -qa| grep qemu-kvm > qemu-kvm-ev-2.10.0-21.el7_5.3.1.x86_64 > qemu-kvm-common-ev-2.10.0-21.el7_5.3.1.x86_64 Yes, here's the changelog: * Mon May 21 2018 Sandro Bonazzola <sbonazzo> - ev-2.10.0-21.el7_5.3.1 - Removing RH branding from package name * Fri May 11 2018 Miroslav Rezanina <mrezanin> - 2.10.0-21.el7_5.3 - kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch [bz#1574214] - Resolves: bz#1574214 (EMBARGOED CVE-2018-3639 qemu-kvm: Kernel: omega-4 [rhel-7.5.z])
(In reply to Sandro Bonazzola from comment #8) > ISO building here: > https://jenkins.ovirt.org/job/ovirt-node-ng_ovirt-4.2_build-artifacts-el7- > x86_64/284/ ISO build failed due to infra issue. Rebuilding:https://jenkins.ovirt.org/job/ovirt-node-ng_ovirt-4.2_build-artifacts-el7-x86_64/285/
Builds pushed to release server, will be on mirrors shortly.
(In reply to Sandro Bonazzola from comment #11) > (In reply to Sandro Bonazzola from comment #8) > > ISO building here: > > https://jenkins.ovirt.org/job/ovirt-node-ng_ovirt-4.2_build-artifacts-el7- > > x86_64/284/ > > ISO build failed due to infra issue. > Rebuilding:https://jenkins.ovirt.org/job/ovirt-node-ng_ovirt-4.2_build- > artifacts-el7-x86_64/285/ Test version: ovirt-node-ng-installer-ovirt-4.2-2018052506.iso imgbased-1.0.15-1.el7.centos.noarch kernel-3.10.0-862.3.2.el7.x86_64 libvirt-client-3.9.0-14.el7_5.5.x86_64 libvirt-daemon-3.9.0-14.el7_5.5.x86_64 qemu-kvm-ev-2.10.0-21.el7_5.3.1.x86_64 Test result: oVirt Node 4.2.3 include correct kernel & qemu-kvm-ev and libvirt CVE version.