Bug 1944075 (CVE-2021-20295) - CVE-2021-20295 QEMU: Regression of CVE-2020-10756 fix in virt:rhel/qemu-kvm in Red Hat Enterprise Linux 8.3
Summary: CVE-2021-20295 QEMU: Regression of CVE-2020-10756 fix in virt:rhel/qemu-kvm i...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20295
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1939493
Blocks: 1944074 1944081
TreeView+ depends on / blocked
 
Reported: 2021-03-29 08:55 UTC by Mauro Matteo Cascella
Modified: 2022-03-31 09:45 UTC (History)
33 users (show)

Fixed In Version: qemu-kvm 4.2.0-34
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to include the fix for the qemu-kvm component issue CVE-2020-10756, which was previously corrected in virt:rhel/qemu-kvm via erratum RHSA-2020:4059 (https://access.redhat.com/errata/RHSA-2020:4059). CVE-2021-20295 was assigned to that Red Hat specific security regression. For more details about the original security issue CVE-2020-10756, refer to bug 1835986 or the CVE page: https://access.redhat.com/security/cve/CVE-2020-10756.
Clone Of:
Environment:
Last Closed: 2021-04-05 17:35:22 UTC
Embargoed:

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2021-03-29 08:55:29 UTC 
It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to include the fix for the qemu-kvm component issue CVE-2020-10756, which was previously corrected in virt:rhel/qemu-kvm via erratum RHSA-2020:4059 (https://access.redhat.com/errata/RHSA-2020:4059). CVE-2021-20295 was assigned to that Red Hat specific security regression.

For more details about the original security issue CVE-2020-10756, refer to bug 1835986 or the CVE page: https://access.redhat.com/security/cve/CVE-2020-10756.
Comment 3 Mauro Matteo Cascella 2021-03-29 09:57:11 UTC 
Statement:

This issue affects the versions of `qemu-kvm` as shipped with Red Hat Enterprise Linux 8.3 release. The fix for the original CVE-2020-10756 issue was not included in the 8.3 release, leading to a security regression.
Comment 5 Mauro Matteo Cascella 2021-03-29 13:38:15 UTC 
External References:

https://access.redhat.com/security/cve/CVE-2020-10756
Comment 6 errata-xmlrpc 2021-04-05 16:49:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1064 https://access.redhat.com/errata/RHSA-2021:1064
Comment 7 Product Security DevOps Team 2021-04-05 17:35:22 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20295
Note You need to log in before you can comment on or make changes to this bug.