Ubuntu has issued an advisory on September 18: http://www.ubuntu.com/usn/usn-1954-1/ Note that the CVE-2013-5651 issue only affects Mageia 3. Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron. Advisory (Mageia 2): ======================== Updated libvirt packages fix security vulnerabilities: It was discovered that libvirt incorrectly handled certain memory stats requests. A remote attacker could use this issue to cause libvirt to crash, resulting in a denial of service (CVE-2013-4296). Additionally, an update for a PolicyKit security issue required libvirt to be updated to use a different API that is not affected by this security issue (CVE-2013-4311). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4311 http://www.ubuntu.com/usn/usn-1954-1/ https://bugs.mageia.org/show_bug.cgi?id=11260 ======================== Updated packages in core/updates_testing: ======================== libvirt0-0.9.12-1.mga2 libvirt-devel-0.9.12-1.mga2 libvirt-static-devel-0.9.12-1.mga2 python-libvirt-0.9.12-1.mga2 libvirt-utils-0.9.12-1.mga2 from libvirt-0.9.12-1.mga2.src.rpm Advisory (Mageia 3): ======================== Updated libvirt packages fix security vulnerabilities: It was discovered that libvirt incorrectly handled certain memory stats requests. A remote attacker could use this issue to cause libvirt to crash, resulting in a denial of service (CVE-2013-4296). It was discovered that libvirt incorrectly handled certain bitmap operations. A remote attacker could use this issue to cause libvirt to crash, resulting in a denial of service (CVE-2013-5651). Additionally, an update for a PolicyKit security issue required libvirt to be updated to use a different API that is not affected by this security issue (CVE-2013-4311). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4311 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5651 http://www.ubuntu.com/usn/usn-1954-1/ https://bugs.mageia.org/show_bug.cgi?id=11260 ======================== Updated packages in core/updates_testing: ======================== libvirt0-1.0.2-8.3.mga3 libvirt-devel-1.0.2-8.3.mga3 python-libvirt-1.0.2-8.3.mga3 libvirt-utils-1.0.2-8.3.mga3 from libvirt-1.0.2-8.3.mga3.src.rpm Reproducible: Steps to Reproduce:
CC: (none) => mageiaDepends on: (none) => 11260Whiteboard: (none) => MGA2TOO
May I request a new release of libvirt with the changes added here: http://svnweb.mageia.org/packages?view=revision&revision=484822 It makes it so much easier to use. Additionally one could also add libssh2 support by adding: BuildRequires: libssh2-devel
CC: (none) => oe
@oden, Feel free to just bump the subrel and resubmit to testing. That said, are all these build deps also listed as runtime deps? Or are they not strictly needed at runtime? Also, IMO it's nicer to have the separate BRs on one line each as this makes contextual diffs much easier to read, but that is arguably going to spark a bikeshed debate so I'll not make any requests about this (and it's not my package anyway!!)
Oden are you intending to do this or shall we proceed with the current build? If not then testing complete mga3 64
Whiteboard: MGA2TOO => MGA2TOO mga3-64-ok?
I will submit as of http://svnweb.mageia.org/packages?view=revision&revision=484822 but I'm not that confident with this enough to tell what's needed or not at runtime as of the question by Colin. I will also add "BuildRequires: libssh2-devel" which adds this support. Packages has been submitted to mga3 updates_testing, libvirt-1.0.2-8.4.mga3
Did you forget the ssh?
No. $ rpm -qp --requires /mnt/BIG/mirror/mageia/mga3/SRPMS/core/updates_testing/libvirt-1.0.2-8.4.mga3.src.rpm | grep ssh libssh2-devel
Ahh yep. That was strange, is there a delay on svnweb or was I just looking in the wrong place? What is the purpose of adding this Oden? Could you update the advisory please.
http://libvirt.org/remote.html "libssh2 Transport over the SSH protocol using libssh2 instead of the OpenSSH binary. This transport uses the libvirt authentication callback for all ssh authentication calls and therefore supports keyboard-interactive authentication even with graphical management applications. As with the classic ssh transport netcat is required on the remote side." Noticed this support was activated when I built libvirt locally and had libssh2-devel installed, comparing symbols and verifying the http://svnweb.mageia.org/packages?view=revision&revision=484822 change.
Testing complete mga2 64
Whiteboard: MGA2TOO mga3-64-ok? => MGA2TOO mga2-64-ok
I'm having difficulties with this mga2 32 in vbox lxde. Can somebody else test please. I can get it to work with vnc but not spice. It could be some oddity of trying to run it in lxde in vbox so if you're better able to test, please do :) Procedure in bug 10987 comment 6 and 7
testing complete mga3 32
Whiteboard: MGA2TOO mga2-64-ok => MGA2TOO has_procedure mga2-64-ok mga3-32-ok
Testing complete mga3 64
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga3-32-ok => MGA2TOO has_procedure mga2-64-ok mga3-32-ok mga3-64-ok
I'm surprised. I actually got virt-viewer and qemu to run under vb. It's dead slow, but got far enough to confirm virt-viewer is working. Testing complete mageia 2 i586. Advisory committed to svn. Someone from the sysadmin team please push 11274.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure mga2-64-ok mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-64-ok mga3-32-ok mga3-64-ok mga2-32-okCC: (none) => davidwhodgins, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0294.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED