[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1832-1] libvirt security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : libvirt
Version        : 1.2.9-9+deb8u7
CVE IDs        : CVE-2019-10161 CVE-2019-10167

Two vulnerabilities were discovered in libvirt, an abstraction API
for different underlying virtualisation mechanisms provided by the
kernel, etc.

* CVE-2019-10161: Prevent an vulnerability where readonly clients
  could use the API to specify an arbitrary path which would be
  accessed with the permissions of the libvirtd process. An attacker
  with access to the libvirtd socket could use this to probe the
  existence of arbitrary files, cause a denial of service or
  otherwise cause libvirtd to execute arbitrary programs.

* CVE-2019-10167: Prevent an arbitrary code execution vulnerability
  via the API where a user-specified binary used to probe the
  domain's capabilities.  read-only clients could specify an
  arbitrary path for this argument, causing libvirtd to execute a
  crafted executable with its own privileges.

For Debian 8 "Jessie", these issues have been fixed in libvirt
version 1.2.9-9+deb8u7.

We recommend that you upgrade your libvirt packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl0RI8EACgkQHpU+J9Qx
Hlg5NxAAl/BhcqB/Iuims+QuzwKMI/8KY75jXEEwTG5X7hQYyHgTQosYchRxV3ga
qJz1oIEzzP3TeaQYRP3hNSNZtppfb1fAKXoHnDBWIt8eN5sLMD+UqRE3r5VwqTBT
cepOdnjSB3bGvEaWavSJIDDi98++oXBBb9MS8ZD+I/HSooheGO8Q0qSQSnF2m0FC
1V4GBMlgroRyQXAXxK4OB+Dgp1KVhXEsZNSBUHGc/ctSayZyBay1Kle0UbRQukHP
mjS4NkuCrU6f36V26Y/tcay4EDOB4RcS628gTSO2yy+k68OzjlzC2IVIUW39iUuF
jZw4ceeH6u1R/SxOf8xYwR/oXaB+fa8yocvScTodOeN/hEIn2SkT9ewCP53lSkww
pZu5WyOGAmHT0XbvHkbeI5ZHS1tS/p7QzX3FTC5gDWV2jHF3eMjDYHwHA3Zxh4x9
PjiSOp1SDgLRSjKOWUojOGJLswoLzGjU3ighNrZzPHKqUDMs9xQtMIiJAxwWBcNO
jRjLZLAfePtr+f/KbSTD3eJ6Xc/6s6ioLbhsOJWxaGfkyvovcS2owmkSjDqoCLiq
nFTJtAvCSltg4yMleKhwNmIoUuV+VIliYCST46Iic6SBziSEjfjn9Htf+81smKEp
Xhtufm6KHLqfJi7iiLgnY+jgoG+VnhcYsY59hxh6fsjEpn/+L8s=
=2mv1
-----END PGP SIGNATURE-----


Reply to: