RHSA-2021:1186: Moderate: RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] 0-day security, bug fix, enhance

The ovirt-engine package provides the manager for virtualization environments.<br>This manager enables admins to define hosts and networks, as well as to add<br>storage, create VMs and manage user permissions.<br>Bug Fix(es):<br><li> Previously, saving user preferences in the Red Hat Virtualization Manager required the MANIPULATEUSERS permission level. As a result, user preferences were not saved on the server.</li> In this release, the required permission level for saving user preferences was changed to EDITPROFILE, which is the permission level assigned by default to all users. As a result, saving user preferences works as expected. (BZ#1920539)<br>A list of bugs fixed in this update is available in the Technical Notes<br>book:<br><a href="https://access.redhat.com/documentation/en-us/redhatvirtualization/4.4/html-single/technicalnotes" target="blank">https://access.redhat.com/documentation/en-us/redhatvirtualization/4.4/html-single/technicalnotes</a> Security Fix(es):<br><li> nodejs-bootstrap-select: not escaping title values on &lt;option&gt; may lead to XSS (CVE-2019-20921)</li> <li> datatables.net: prototype pollution if 'constructor' were used in a data property name (CVE-2020-28458)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.