Commit 2c3a538e authored by Lev Lamberov's avatar Lev Lamberov

[SECURITY] [DSA 4469-1] libvirt security update

parent ff5b9742
<define-tag pagetitle>DSA-4469-1 libvirt</define-tag>
<define-tag report_date>2019-6-22</define-tag>
<define-tag secrefs>CVE-2019-10161 CVE-2019-10167</define-tag>
<define-tag packages>libvirt</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
<define-tag fixed-section>no</define-tag>
#use wml::debian::security
<define-tag description>security update</define-tag>
<define-tag moreinfo>
<p>Two vulnerabilities were discovered in Libvirt, a virtualisation
abstraction library, allowing an API client with read-only permissions
to execute arbitrary commands via the virConnectGetDomainCapabilities
API, or read or execute arbitrary files via the
virDomainSaveImageGetXMLDesc API.</p>
<p>Additionally the libvirt's cpu map was updated to make addressing
<a href="">\
CVE-2018-3639</a>, <a href="">\
CVE-2017-5753</a>, <a href="">\
CVE-2017-5715</a>, <a href="">\
CVE-2018-12126</a>, <a href="">\
CVE-2018-12127</a>, <a href="">\
CVE-2018-12130</a> and <a href="">\
CVE-2019-11091</a> easier by supporting the md-clear, ssbd, spec-ctrl
and ibpb CPU features when picking CPU models without having to fall
back to host-passthrough.</p>
<p>For the stable distribution (stretch), these problems have been fixed in
version 3.0.0-4+deb9u4.</p>
<p>We recommend that you upgrade your libvirt packages.</p>
<p>For the detailed security status of libvirt please refer to its security
tracker page at:
<a href="">\</a></p>
# do not modify the following line
#include "$(ENGLISHDIR)/security/2019/"
# $Id: $
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment