Red Hat Local Security Checks : RedHat Update for spice-server RHSA-2016:1204-01

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.871628

Categoría: Red Hat Local Security Checks

Título: RedHat Update for spice-server RHSA-2016:1204-01

Resumen: The remote host is missing an update for the 'spice-server'; package(s) announced via the referenced advisory.

Descripción: Summary:
The remote host is missing an update for the 'spice-server'
package(s) announced via the referenced advisory.

Vulnerability Insight:
The Simple Protocol for Independent
Computing Environments (SPICE) is a remote display protocol for virtual environments.
SPICE users can access a virtualized desktop or server from the local system or any
system with network access to the server. SPICE is used in Red Hat Enterprise Linux
for viewing virtualized guests running on the Kernel-based Virtual Machine
(KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors.

Security Fix(es):

* A memory allocation flaw, leading to a heap-based buffer overflow, was
found in spice's smartcard interaction, which runs under the QEMU-KVM
context on the host. A user connecting to a guest VM using spice could
potentially use this flaw to crash the QEMU-KVM process or execute
arbitrary code with the privileges of the host's QEMU-KVM process.
(CVE-2016-0749)

* A memory access flaw was found in the way spice handled certain guests
using crafted primary surface parameters. A user in a guest could use this
flaw to read from and write to arbitrary memory locations on the host.
(CVE-2016-2150)

The CVE-2016-0749 issue was discovered by Jing Zhao (Red Hat) and the
CVE-2016-2150 issue was discovered by Frediano Ziglio (Red Hat).

Affected Software/OS:
spice-server on Red Hat Enterprise Linux Desktop (v. 6),
Red Hat Enterprise Linux Server (v. 6),
Red Hat Enterprise Linux Workstation (v. 6)

Solution:
Please Install the Updated Packages.

CVSS Score:
10.0

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2016-0749
DSA-3596
http://www.debian.org/security/2016/dsa-3596
GLSA-201606-05
https://security.gentoo.org/glsa/201606-05
RHSA-2016:1204
https://access.redhat.com/errata/RHSA-2016:1204
RHSA-2016:1205
https://access.redhat.com/errata/RHSA-2016:1205
USN-3014-1
http://www.ubuntu.com/usn/USN-3014-1
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
openSUSE-SU-2016:1725
http://lists.opensuse.org/opensuse-updates/2016-07/msg00003.html
openSUSE-SU-2016:1726
http://lists.opensuse.org/opensuse-updates/2016-07/msg00004.html
Common Vulnerability Exposure (CVE) ID: CVE-2016-2150
https://bugzilla.redhat.com/show_bug.cgi?id=1313496

Copyright Copyright (C) 2016 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.871628
Categoría:	Red Hat Local Security Checks
Título:	RedHat Update for spice-server RHSA-2016:1204-01
Resumen:	The remote host is missing an update for the 'spice-server'; package(s) announced via the referenced advisory.
Descripción:	Summary: The remote host is missing an update for the 'spice-server' package(s) announced via the referenced advisory. Vulnerability Insight: The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors. Security Fix(es): * A memory allocation flaw, leading to a heap-based buffer overflow, was found in spice's smartcard interaction, which runs under the QEMU-KVM context on the host. A user connecting to a guest VM using spice could potentially use this flaw to crash the QEMU-KVM process or execute arbitrary code with the privileges of the host's QEMU-KVM process. (CVE-2016-0749) * A memory access flaw was found in the way spice handled certain guests using crafted primary surface parameters. A user in a guest could use this flaw to read from and write to arbitrary memory locations on the host. (CVE-2016-2150) The CVE-2016-0749 issue was discovered by Jing Zhao (Red Hat) and the CVE-2016-2150 issue was discovered by Frediano Ziglio (Red Hat). Affected Software/OS: spice-server on Red Hat Enterprise Linux Desktop (v. 6), Red Hat Enterprise Linux Server (v. 6), Red Hat Enterprise Linux Workstation (v. 6) Solution: Please Install the Updated Packages. CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2016-0749 DSA-3596 http://www.debian.org/security/2016/dsa-3596 GLSA-201606-05 https://security.gentoo.org/glsa/201606-05 RHSA-2016:1204 https://access.redhat.com/errata/RHSA-2016:1204 RHSA-2016:1205 https://access.redhat.com/errata/RHSA-2016:1205 USN-3014-1 http://www.ubuntu.com/usn/USN-3014-1 http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html openSUSE-SU-2016:1725 http://lists.opensuse.org/opensuse-updates/2016-07/msg00003.html openSUSE-SU-2016:1726 http://lists.opensuse.org/opensuse-updates/2016-07/msg00004.html Common Vulnerability Exposure (CVE) ID: CVE-2016-2150 https://bugzilla.redhat.com/show_bug.cgi?id=1313496
Copyright	Copyright (C) 2016 Greenbone AG