| Summary: | libvirt new security issue CVE-2019-3840 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | bequimao.de, davidwhodgins, mageia, marja11, mhrambo3501, nicolas.salguero, rverschelde, sysadmin-bugs, thierry.vignaud |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | libvirt-3.10.0-1.4.mga6.src.rpm | CVE: | CVE-2019-3840 |
| Status comment: | |||
|
Description
David Walser
2019-03-18 23:18:43 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated packages fix a security vulnerability: NULL pointer dereference after running qemuAgentCommand in qemuAgentGetInterfaces function. (CVE-2019-3840) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3840 https://usn.ubuntu.com/3909-1/ ======================== Updated packages in core/updates_testing: ======================== libvirt-docs-3.10.0-1.5.mga6 lib(64)virt0-3.10.0-1.5.mga6 lib(64)virt-devel-3.10.0-1.5.mga6 libvirt-utils-3.10.0-1.5.mga6 wireshark-libvirt-3.10.0-1.5.mga6 from SRPMS: libvirt-3.10.0-1.5.mga6.src.rpm Status:
NEW =>
ASSIGNED Just cloned and installed 2 VMs (Mga 6 Plasma, Mga 6 Gnome) under Qemu/KVM. Display: Spice, Video model: Virtio, Network Bridge: enp14s0: macvtap. No regression found. Installed Packages lib64virt0.x86_64 3.10.0-1.5.mga6 @updates_testing-x86_64 libvirt-utils.x86_64 3.10.0-1.5.mga6 @updates_testing-x86_64 Available Packages lib64virt-devel.x86_64 3.10.0-1.5.mga6 updates_testing-x86_64 libvirt-docs.x86_64 3.10.0-1.5.mga6 updates_testing-x86_64 wireshark-libvirt.x86_64 3.10.0-1.5.mga6 updates_testing-x86_64 Ulrich Whiteboard:
(none) =>
MGA6-64-OK (In reply to Nicolas Salguero from comment #2) > Suggested advisory: > ======================== > > The updated packages fix a security vulnerability: > > NULL pointer dereference after running qemuAgentCommand in > qemuAgentGetInterfaces function. (CVE-2019-3840) > > References: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3840 > https://usn.ubuntu.com/3909-1/ > ======================== As there are no other takers, I validate the update myself. Advisory as suggested. Ulrich Keywords:
(none) =>
advisory, validated_update (In reply to Ulrich Beckmann from comment #4) > As there are no other takers, I validate the update myself. > Advisory as suggested. Thanks. Please note though, that the advisory keyword should only be added when the advisory has been committed to svn, as I've now done for this bug report. http://svnweb.mageia.org/advisories/24528.adv?view=markup When the advisory keyword has been added, an asterisk is added after the bug number in http://madb.mageia.org/tools/updates Adding the keyword before the advisory has been committed to svn causes a delay, as I or others that can commit advisories to svn think it's already been done. The procedure used to push updates from the testing repo to the updates repo uses the advisory from svn to select which source rpm packages to include in the move. CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0138.html Resolution:
(none) =>
FIXED |