An updated rhev-hypervisor6 package that fixes one security issue is nowavailable.The Red Hat Security Response Team has rated this update as havingImportant security impact. A Common Vulnerability Scoring System (CVSS)base score, which gives a detailed severity rating, is available from theCVE link in the References section.
The rhev-hypervisor6 package provides a Red Hat Enterprise VirtualizationHypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisoris a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includeseverything necessary to run and manage virtual machines: a subset of theRed Hat Enterprise Linux operating environment and the Red Hat EnterpriseVirtualization Agent.Note: Red Hat Enterprise Virtualization Hypervisor is only available forthe Intel 64 and AMD64 architectures with virtualization extensions.An information disclosure flaw was found in the way OpenSSL handled TLS andDTLS Heartbeat Extension packets. A malicious TLS or DTLS client or servercould send a specially crafted TLS or DTLS Heartbeat packet to disclose alimited portion of memory per request from a connected client or server.Note that the disclosed portions of memory could potentially includesensitive information such as private keys. (CVE-2014-0160)Red Hat would like to thank the OpenSSL project for reporting this issue.Upstream acknowledges Neel Mehta of Google Security as the originalreporter.Users of the Red Hat Enterprise Virtualization Hypervisor are advised toupgrade to this updated package, which corrects this issue.
1084875 – CVE-2014-0160 openssl: information disclosure in handling of TLS heartbeat extension packets
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from: