RedHat has issued an advisory on November 3: https://rhn.redhat.com/errata/RHSA-2016-2577.html We have already fixed the other two CVEs, and in all likelihood have already included an upstream fix for this CVE, but we should confirm this as we haven't seen this one yet.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. However, tv touched it more than 70 times.... Thierry, are you the de facto maintainer?
CC: (none) => marja11, thierry.vignaudAssignee: bugsquad => pkg-bugs
CVE: (none) => CVE-2015-5160CC: (none) => mageia
would be simpler to update libvirt. can we do this ?
Given that we're not running a maintenance release in Cauldron currently, I see no reason we can't update it.
Update to 3.3.0 has been committed for cauldron (and a Freeze push request sent).
CC: (none) => mrambo
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
I dont think we will fix CVE-2015-5160 for mga5 as it needs matching fixes in qemu, something that landed in qemu-2.6.0 (we have 2.4.1), and libvirt needs several fixes too for it to work... and given the fact as stated in: https://bugzilla.redhat.com/show_bug.cgi?id=1245647#c2 "It has been public knowledge since 2011 that passing Ceph keys on the command line is undesirable: https://www.redhat.com/archives/libvir-list/2011-November/msg00853.html" I agree with RHEL6: https://bugzilla.redhat.com/show_bug.cgi?id=1245647#c13 "Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates of Enterprise Linux 6." And SuSe: https://bugzilla.suse.com/show_bug.cgi?id=939348#c10 "Upstream is aware of this limitation. Not fixable directly. Users should exercise caution regarding ceph IDs leaked on the command line and adjust their security posture accordingly."
CC: (none) => tmb
Thomas' note comes at a good time. The mga5 update is not being nearly as cooperative as the cauldron update was. All but one of the mga5 patches either no longer apply or have already been applied upstream. Parts of the REVERT patch do not apply at present but might be made to do so, other parts are ok as they are. But even with all the patches removed I have not been able to get 3.3.0 to build on top of the mga5 package. It is failing (file not found) on something wireshark/proto.h/glib.h related but I haven't figured out exactly why. But I'm going to suspend the effort unless/until it is decided that the mga5 update does need to be done after all. Does that make this a Won't Fix?
I'm fine with WONTFIX here. We can still update qemu in Cauldron though.
Setting this bug to resolved. Cauldron libvirt has been updated and it has been decided not to fix mga5. Qemu has since been updated by tmb also.
Status: NEW => RESOLVEDResolution: (none) => FIXED
Well it can't be set to 5 and FIXED when we didn't fix it for 5. We can either go FIXED and Cauldron or WONTFIX and 5. Going with the former for now.
Version: 5 => Cauldron