OpenSuSE has issued an advisory on January 3: http://lists.opensuse.org/opensuse-updates/2014-01/msg00004.html Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Blocks: (none) => 11726
Two other CVEs were assigned for libvirt issues today, CVE-2014-144[78]: http://openwall.com/lists/oss-security/2014/01/14/5
CVE-2014-1448 was rejected and merged into CVE-2014-1447. There are a number of other CVEs mentioned in the changelog for libvirt 1.2.1: http://libvirt.org/news.html
Debian has issued an advisory for CVE-2013-6458 and CVE-2014-1447: http://www.debian.org/security/2014/dsa-2846 from http://lwn.net/Vulnerabilities/581304/
Summary: libvirt new security issue CVE-2013-6436 => libvirt new security issues CVE-2013-6436, CVE-2013-645[78], CVE-2014-1447, CVE-2014-0028
Probably our best bet for fixing this would be updating Mageia 4 to 1.2.1 and Mageia 3 to 1.0.5.9 as Fedora 19 did.
Fixed in cauldron. Works for me. Please submit libvirt-1.2.1 and once it's available in the build system continue with python-libvirt-1.2.1 (new) and virt-manager (fedora sync). Cheers.
CC: (none) => oe
(In reply to Oden Eriksson from comment #5) > Fixed in cauldron. Works for me. > > Please submit libvirt-1.2.1 and once it's available in the build system > continue with python-libvirt-1.2.1 (new) and virt-manager (fedora sync). > > Cheers. For Cauldron: Additionally the following ones has been upgraded as well since a rebuild of them was probably nessesary: libguestfs-1.24.0 -> libguestfs-1.24.5 libvirt-glib (rebuild) ocaml-libvirt (rebuild) perl-Sys-Virt-1.1.3 -> perl-Sys-Virt-1.2.1 php-libvirt-0.4.7 -> php-libvirt-0.4.8 ruby-libvirt-0.4.0 -> ruby-libvirt-0.5.2 virt-viewer-0.5.6 -> virt-viewer-0.5.7 Cheers.
libvirt-1.2.1-1.mga4 uploaded for Cauldron. Thanks Oden!
Version: Cauldron => 3Whiteboard: MGA3TOO => (none)
Blocks: 11726 => (none)
Here's the Fedora advisory for Fedora 19, which I recommend we sync with for Mageia 3: https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127280.html
Ubuntu has issued an advisory for this: http://www.ubuntu.com/usn/usn-2093-1 This adds CVE-2013-6457 and CVE-2014-0028: from http://lwn.net/Vulnerabilities/583677/
I've added patches from the 1.0.2 branch in git. These fix CVE-2013-6458 and CVE-2014-1447. I've determined that CVE-2014-0028 only affects 1.1.1 and newer (from the commit log message) and that CVE-2013-6457 affects code not present in 1.0.2. CVE-2013-6436 has patches applied upstream in every branch 1.0.5 and newer, but none of the older ones, so I'm guessing 1.0.2 is not affected. Ubuntu's description for this CVE also indicates that 1.0.5 is the oldest version affected. The original URL set for this bug was for CVE-2013-6436: http://lwn.net/Vulnerabilities/579350/ I've switched that to the LWN reference for the bugs we're actually fixing with this Mageia 3 update, the one listed in Comment 3. Advisory: ======================== Updated libvirt packages fix security vulnerabilities: It was discovered that insecure job usage could lead to denial of service against libvirtd (CVE-2013-6458). It was discovered that a race condition in keepalive handling could lead to denial of service against libvirtd (CVE-2014-1447). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1447 http://www.debian.org/security/2014/dsa-2846 ======================== Updated packages in core/updates_testing: ======================== libvirt0-1.0.2-8.4.mga3 libvirt-devel-1.0.2-8.4.mga3 python-libvirt-1.0.2-8.4.mga3 libvirt-utils-1.0.2-8.4.mga3 from libvirt-1.0.2-8.4.mga3.src.rpm
URL: http://lwn.net/Vulnerabilities/579350/ => http://lwn.net/Vulnerabilities/581304/Assignee: bugsquad => qa-bugs
Severity: normal => major
Testing procedure in bug 10987 comment 6 and 7
CC: (none) => stormiWhiteboard: (none) => has_procedure
The above procedure is for testing spice, libvirtd is easier to test. Just start libvirtd service, install virt-manager and use Virtual Machine Manager to start a VM installation (it's similar to virtualbox). Testing complete mga3 32 & 64
Whiteboard: has_procedure => has_procedure mga3-32-ok mga3-64-ok
Advisory uploaded. Validating. Could sysadmin please push to 3 updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure advisory mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0051.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED