openSUSE has issued an advisory on April 29: https://lists.opensuse.org/opensuse-updates/2019-04/msg00207.html Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing tv, who is the de-facto maintainer.
CC: (none) => marja11, thierry.vignaudAssignee: bugsquad => pkg-bugs
RedHat has issued an advisory on May 23: https://access.redhat.com/errata/RHSA-2019:1264 Mageia 6 is not affected by this issue (Mageia 7 is).
Severity: normal => criticalWhiteboard: MGA6TOO => MGA7TOO, MGA6TOOSummary: libvirt new security issue CVE-2019-3886 => libvirt new security issues CVE-2019-3886 and CVE-2019-10132
RedHat has issued an advisory on June 20: https://access.redhat.com/errata/RHSA-2019:1579 The issues are fixed in 4.10.1 and 5.4.1. Mageia 6 is also affected.
Summary: libvirt new security issues CVE-2019-3886 and CVE-2019-10132 => libvirt new security issues CVE-2019-3886, CVE-2019-10132, CVE-2019-1016[1678]
This Ubuntu advisory (from May 15), related to an intel-microcode update, might also be relevant: https://usn.ubuntu.com/3985-1/
Same with this Debian advisory from June 22: https://www.debian.org/security/2019/dsa-4469
Ubuntu advisory for the two CVEs from June 19: https://usn.ubuntu.com/4021-1/
Ubuntu advisory for the latter CVEs from July 8: https://usn.ubuntu.com/4047-1/
Not sure if we've addressed this set of Intel speculative execution issues: https://lists.opensuse.org/opensuse-updates/2019-06/msg00023.html
libvirt-5.5.0 has been pushed to core/updates_testing: - 5.5.0 security update -- https://libvirt.org/news.html#v5.5.0 o api: Prevent access to several APIs over read-only connections Certain APIs give root-equivalent access to the host, and as such should be limited to privileged users. CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168. - it also contains the security fixes from 5.4.0: o cpu: Introduce support for the md-clear CPUID bit This bit is set when microcode provides the mechanism to invoke a flush of various exploitable CPU buffers by invoking the x86 VERW instruction. CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091. o Restrict user access to virt-admin, virtlogd and virtlockd The intended users for these facilities are the root user and the libvirtd service respectively, but these restrictions were not enforced correctly. CVE-2019-10132.
Advisory: ======================== Updated libvirt packages fix security vulnerabilities: An information leak which allowed to retrieve the guest hostname under readonly mode (CVE-2019-3886). Wrong permissions in systemd admin-sock due to missing SocketMode parameter (CVE-2019-10132). Arbitrary file read/exec via virDomainSaveImageGetXMLDesc API (CVE-2019-10161). virDomainManagedSaveDefineXML API exposed to readonly clients (CVE-2019-10166). Arbitrary command execution via virConnectGetDomainCapabilities API (CVE-2019-10167). Arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs (CVE-2019-10168). Also, this update contains the libvirt adjustments, that pass through the new 'md-clear' CPU flag, to help address Intel CPU speculative execution flaws. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3886 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10132 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10161 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10166 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10167 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10168 https://lists.opensuse.org/opensuse-updates/2019-04/msg00207.html https://access.redhat.com/errata/RHSA-2019:1264 https://access.redhat.com/errata/RHSA-2019:1579 https://lists.opensuse.org/opensuse-updates/2019-06/msg00023.html ======================== Updated packages in core/updates_testing: ======================== libvirt-docs-5.5.0-1.mga7 libvirt0-5.5.0-1.mga7 libvirt-devel-5.5.0-1.mga7 libvirt-utils-5.5.0-1.mga7 wireshark-libvirt-5.5.0-1.mga7 libnss_libvirt2-5.5.0-1.mga7 from libvirt-5.5.0-1.mga7.src.rpm
Whiteboard: MGA7TOO, MGA6TOO => (none)Version: Cauldron => 7Assignee: pkg-bugs => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues, just noted that in the dependencies dnsmasq is included, which makes bind being deinstalled. Ref to bug 21826 Comment 6 for testing. So installed virt-manager, and run this as a normal user. No feedback on CLI, application opens which lists QEMU/KVM as a virtual machine, and I can view the details of it. I can assign a file as storage , but I don't have enough space available on this test partition to install a complete virtual machine. If that is judged enough testing, I will not object OK'ing.
CC: (none) => herman.viaene
Side note: I wish there was more consistency in the naming of the packages names, some are libvirt, others lib64virt.
libvirt is the name of the software, and it's an unfortunate choice of name. Things named lib64* are libraries. What would actually be better is if we didn't use the unnecessary lib64 prefix for 64-bit libraries. Maybe someday...
Installed Packages lib64virt0.x86_64 5.5.0-1.mga7 @updates_testing-x86_64 libvirt-utils.x86_64 5.5.0-1.mga7 @updates_testing-x86_64 Running Qemu/KVM as host on 2 instances. Nothing deinstalled here. No regression found. So marking test as ok. Ulrich
CC: (none) => bequimao.deWhiteboard: (none) => MGA7-64-OK
NB: bind was not installed here before. If I install bind, there is indeed a conflict with dnsmasq.
Installed and tested without issues. Update packages installed without issues. Have dnsmasq installed and running. Do not have bind installed. Host system: Mageia 7, x86_64, virt-manager, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. Guest systems: - FreeBSD 12.1 - Mageia 7 (Linux 5.4.2-desktop-1.mga7) - Windows 10 $ uname -a Linux marte 5.4.2-desktop-1.mga7 #1 SMP Thu Dec 5 17:40:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ ### BEFORE UPDATE $ rpm -qa | grep virt | sort lib64virt0-5.3.0-2.mga7 lib64virt-glib-gir1.0-2.0.0-1.mga7 lib64virt-glib1.0_0-2.0.0-1.mga7 libvirt-utils-5.3.0-2.mga7 python3-libvirt-5.2.0-1.mga7 virt-manager-2.1.0-2.mga7 virt-manager-common-2.1.0-2.mga7 $ ### AFTER UPDATE $ rpm -qa | grep virt | sort lib64virt0-5.5.0-1.mga7 lib64virt-glib1.0_0-2.0.0-1.mga7 lib64virt-glib-gir1.0-2.0.0-1.mga7 libvirt-utils-5.5.0-1.mga7 python3-libvirt-5.2.0-1.mga7 virt-manager-2.1.0-2.mga7 virt-manager-common-2.1.0-2.mga7
CC: (none) => mageia
Note that the package python3-libvirt-5.2.0-1.mga7 was not updated and still has an older version (5.2.0) while the current libvirt is at 5.5.0. Don't know if this is an issue or not. maybe it would be a good idea to check if the package python3-libvirt needs to be updated.
Good catch. It should be updated.
Keywords: (none) => feedback
Add to the packages list: python2-libvirt-5.5.0-1.mga7 python3-libvirt-5.5.0-1.mga7 from python-libvirt-5.5.0-1.mga7.src.rpm
Keywords: feedback => (none)
Keywords: (none) => advisoryCC: (none) => tmb
None of the packages mentioned, either on the list of updates or those mentioned as dependencies, were installed on one of my test machines. So, I did a little checking by first installing bind, and then attempting to install dnsmasq. None of the updated packages were named as dependencies, but bind is definitely incompatible with dnsmasq. This doesn't appear to be anything new, and even with my lack of knowledge on the subject I strongly suspect there is a valid reason for the conflict. A little more investigation turned up that dnsmasq is a dependency of the current libvirt-utils. This means that if a user is currently using libvirt-utils, he would not have bind installed, so it would appear that in and of itself this update would not be removing anything that it shouldn't. All this wandering into the Vast Unknown leads me to conclude that the bind/dnsmasq conflict is a non-issue where this update is concerned. So, I'm going to validate it.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0390.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED