OpenSuSE has issued an advisory on January 3:
Steps to Reproduce:
Two other CVEs were assigned for libvirt issues today, CVE-2014-144:
CVE-2014-1448 was rejected and merged into CVE-2014-1447.
There are a number of other CVEs mentioned in the changelog for libvirt 1.2.1:
Debian has issued an advisory for CVE-2013-6458 and CVE-2014-1447:
libvirt new security issue CVE-2013-6436 =>
libvirt new security issues CVE-2013-6436, CVE-2013-645, CVE-2014-1447, CVE-2014-0028
Probably our best bet for fixing this would be updating Mageia 4 to 1.2.1 and Mageia 3 to 18.104.22.168 as Fedora 19 did.
Fixed in cauldron. Works for me.
Please submit libvirt-1.2.1 and once it's available in the build system continue with python-libvirt-1.2.1 (new) and virt-manager (fedora sync).
(In reply to Oden Eriksson from comment #5)
> Fixed in cauldron. Works for me.
> Please submit libvirt-1.2.1 and once it's available in the build system
> continue with python-libvirt-1.2.1 (new) and virt-manager (fedora sync).
Additionally the following ones has been upgraded as well since a rebuild of
them was probably nessesary:
libguestfs-1.24.0 -> libguestfs-1.24.5
perl-Sys-Virt-1.1.3 -> perl-Sys-Virt-1.2.1
php-libvirt-0.4.7 -> php-libvirt-0.4.8
ruby-libvirt-0.4.0 -> ruby-libvirt-0.5.2
virt-viewer-0.5.6 -> virt-viewer-0.5.7
libvirt-1.2.1-1.mga4 uploaded for Cauldron. Thanks Oden!
Here's the Fedora advisory for Fedora 19, which I recommend we sync with for Mageia 3:
Ubuntu has issued an advisory for this:
This adds CVE-2013-6457 and CVE-2014-0028:
I've added patches from the 1.0.2 branch in git. These fix CVE-2013-6458 and CVE-2014-1447.
I've determined that CVE-2014-0028 only affects 1.1.1 and newer (from the commit log message) and that CVE-2013-6457 affects code not present in 1.0.2.
CVE-2013-6436 has patches applied upstream in every branch 1.0.5 and newer, but none of the older ones, so I'm guessing 1.0.2 is not affected. Ubuntu's description for this CVE also indicates that 1.0.5 is the oldest version affected.
The original URL set for this bug was for CVE-2013-6436:
I've switched that to the LWN reference for the bugs we're actually fixing with this Mageia 3 update, the one listed in Comment 3.
Updated libvirt packages fix security vulnerabilities:
It was discovered that insecure job usage could lead to denial of service
against libvirtd (CVE-2013-6458).
It was discovered that a race condition in keepalive handling could lead to
denial of service against libvirtd (CVE-2014-1447).
Updated packages in core/updates_testing:
Testing procedure in bug 10987 comment 6 and 7
The above procedure is for testing spice, libvirtd is easier to test. Just start libvirtd service, install virt-manager and use Virtual Machine Manager to start a VM installation (it's similar to virtualbox).
Testing complete mga3 32 & 64
has_procedure mga3-32-ok mga3-64-ok
Advisory uploaded. Validating.
Could sysadmin please push to 3 updates
has_procedure mga3-32-ok mga3-64-ok =>
has_procedure advisory mga3-32-ok mga3-64-okCC: