SUSE-SU-2022:3321-1
See a problem?- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2022:3321-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/SUSE-SU-2022:3321-1
- Related
- Published
- 2022-09-20T15:19:24Z
- Modified
- 2022-09-20T15:19:24Z
- Summary
- Security update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container
- Details
-
This update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container fixes the following issues:
Security issues fixed:
- CVE-2022-1798: Fix arbitrary file read on the host from KubeVirt VMs (bsc#1202516)
Security issues fixed in vendored dependencies:
- CVE-2022-1996: Fixed go-restful CORS bypass (bsc#1200528)
- CVE-2022-29162: Fixed runc incorrect handling of inheritable capabilities in default configuration (bsc#1199460)
Other fixes:
- Pack nft rules and nsswitch.conf for virt-handler
- Only create 1MiB-aligned disk images (bsc#1199603)
- Avoid to return nil failure message
- Use semantic equality comparison
- Allow to configure utility containers for update test
- Install nftables to manage network rules
- Install tar to allow kubectl cp ...
- Symlink nsswitch.conf and nft rules to proper locations
- Enable USB redirection support for QEMU
- Install vim-small instread of vim
- Drop libvirt-daemon-driver-storage-core
- Install ethtool and gawk (bsc#1199392)
- Use non-versioned appliance to avoid redundant rpm query
- Explicitly state the dependency on kubevirt main package
- References
-
- https://www.suse.com/support/update/announcement/2022/suse-su-20223321-1/
- https://bugzilla.suse.com/1199392
- https://bugzilla.suse.com/1199460
- https://bugzilla.suse.com/1199603
- https://bugzilla.suse.com/1200528
- https://bugzilla.suse.com/1202516
- https://www.suse.com/security/cve/CVE-2022-1798
- https://www.suse.com/security/cve/CVE-2022-1996
- https://www.suse.com/security/cve/CVE-2022-29162
Affected packages
SUSE:Linux Enterprise Module for Containers 15 SP3 / kubevirt
Package
- Name
- kubevirt
- Purl
- purl:rpm/suse/kubevirt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3
openSUSE:Leap 15.3 / kubevirt
Package
- Name
- kubevirt
- Purl
- purl:rpm/suse/kubevirt&distro=openSUSE%20Leap%2015.3
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.49.0-150300.8.13.1
Ecosystem specific
{
"binaries": [
{
"kubevirt-virt-controller": "0.49.0-150300.8.13.1",
"kubevirt-virt-handler": "0.49.0-150300.8.13.1",
"kubevirt-virt-api": "0.49.0-150300.8.13.1",
"kubevirt-tests": "0.49.0-150300.8.13.1",
"kubevirt-virt-launcher": "0.49.0-150300.8.13.1",
"kubevirt-virt-operator": "0.49.0-150300.8.13.1",
"obs-service-kubevirt_containers_meta": "0.49.0-150300.8.13.1",
"kubevirt-manifests": "0.49.0-150300.8.13.1",
"kubevirt-virtctl": "0.49.0-150300.8.13.1",
"kubevirt-container-disk": "0.49.0-150300.8.13.1"
}
]
}