Critical product update: Virtuozzo Automator 7.0 Update 2 Hotfix 6 (VA MN: 7.0.2-612, VA Agent: 7.0.2-326)¶
Issue date: 2018-10-03
Applies to: Virtuozzo Automator 7.0
Virtuozzo Advisory ID: VZA-2018-073
1. Overview¶
This hotfix for Virtuozzo Automator 7.0.2 provides security and stability fixes.
2. Security Fixes¶
[Critical] The software did not neutralize or incorrectly neutralized user-controllable input before it was placed in output that was used as a web page that was served to other users. (CWE-79, PVA-37373)
[Critical] The software did not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. (CWE-269, PVA-37374)
3. Bug Fixes¶
Removed Management Node license. (PVA-37155)
Restart was required to use VE backups after upgrade of Virtuozzo 7 hardware node. (PVA-37083)
Defaults were always shown for I/O settings on VM’s general settings screen. (PVA-37349)
Defaults were always shown for the host startup and shutdown settings on VM’s general settings screen. (PVA-37350)
4. Installing the Update¶
Update VA MN by running ‘yum groupupdate “VA Management Node” “VA Control Center”’. Update VA Agent by running ‘yum groupupdate “VA Agent”’ on each Virtuozzo node. To remove Virtuozzo license functionality from the machine where VA Management Node is installed, delete the responsible packages with ‘yum remove libvzlic vzlicutils’.
The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-073.json.