| Summary: | libvirt new security issue CVE-2015-5160 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | All Packagers <pkg-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | mageia, marja11, mhrambo3501, thierry.vignaud, tmb |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/705568/ | ||
| Whiteboard: | |||
| Source RPM: | libvirt-1.3.5-4.mga6.src.rpm | CVE: | CVE-2015-5160 |
| Status comment: | |||
|
Description
David Walser
2016-11-04 15:56:25 CET
David Walser
2016-11-04 15:56:32 CET
Whiteboard:
(none) =>
MGA5TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. However, tv touched it more than 70 times.... Thierry, are you the de facto maintainer? CC:
(none) =>
marja11, thierry.vignaud
Nicolas Lécureuil
2017-04-27 14:00:17 CEST
CVE:
(none) =>
CVE-2015-5160 would be simpler to update libvirt. can we do this ? Given that we're not running a maintenance release in Cauldron currently, I see no reason we can't update it. Update to 3.3.0 has been committed for cauldron (and a Freeze push request sent). CC:
(none) =>
mrambo
Nicolas Lécureuil
2017-05-26 13:34:21 CEST
Version:
Cauldron =>
5 I dont think we will fix CVE-2015-5160 for mga5 as it needs matching fixes in qemu, something that landed in qemu-2.6.0 (we have 2.4.1), and libvirt needs several fixes too for it to work... and given the fact as stated in: https://bugzilla.redhat.com/show_bug.cgi?id=1245647#c2 "It has been public knowledge since 2011 that passing Ceph keys on the command line is undesirable: https://www.redhat.com/archives/libvir-list/2011-November/msg00853.html" I agree with RHEL6: https://bugzilla.redhat.com/show_bug.cgi?id=1245647#c13 "Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates of Enterprise Linux 6." And SuSe: https://bugzilla.suse.com/show_bug.cgi?id=939348#c10 "Upstream is aware of this limitation. Not fixable directly. Users should exercise caution regarding ceph IDs leaked on the command line and adjust their security posture accordingly." CC:
(none) =>
tmb Thomas' note comes at a good time. The mga5 update is not being nearly as cooperative as the cauldron update was. All but one of the mga5 patches either no longer apply or have already been applied upstream. Parts of the REVERT patch do not apply at present but might be made to do so, other parts are ok as they are. But even with all the patches removed I have not been able to get 3.3.0 to build on top of the mga5 package. It is failing (file not found) on something wireshark/proto.h/glib.h related but I haven't figured out exactly why. But I'm going to suspend the effort unless/until it is decided that the mga5 update does need to be done after all. Does that make this a Won't Fix? I'm fine with WONTFIX here. We can still update qemu in Cauldron though. Setting this bug to resolved. Cauldron libvirt has been updated and it has been decided not to fix mga5. Qemu has since been updated by tmb also. Status:
NEW =>
RESOLVED Well it can't be set to 5 and FIXED when we didn't fix it for 5. We can either go FIXED and Cauldron or WONTFIX and 5. Going with the former for now. Version:
5 =>
Cauldron |