openSUSE has issued an advisory on April 29:
Mageia 6 is also affected.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC'ing tv, who is the de-facto maintainer.
RedHat has issued an advisory on May 23:
Mageia 6 is not affected by this issue (Mageia 7 is).
libvirt new security issue CVE-2019-3886 =>
libvirt new security issues CVE-2019-3886 and CVE-2019-10132
RedHat has issued an advisory on June 20:
The issues are fixed in 4.10.1 and 5.4.1.
Mageia 6 is also affected.
libvirt new security issues CVE-2019-3886 and CVE-2019-10132 =>
libvirt new security issues CVE-2019-3886, CVE-2019-10132, CVE-2019-1016
This Ubuntu advisory (from May 15), related to an intel-microcode update, might also be relevant:
Same with this Debian advisory from June 22:
Ubuntu advisory for the two CVEs from June 19:
Ubuntu advisory for the latter CVEs from July 8:
Not sure if we've addressed this set of Intel speculative execution issues:
libvirt-5.5.0 has been pushed to core/updates_testing:
- 5.5.0 security update -- https://libvirt.org/news.html#v5.5.0
o api: Prevent access to several APIs over read-only connections
Certain APIs give root-equivalent access to the host, and as such should be
limited to privileged users. CVE-2019-10161, CVE-2019-10166, CVE-2019-10167,
- it also contains the security fixes from 5.4.0:
o cpu: Introduce support for the md-clear CPUID bit
This bit is set when microcode provides the mechanism to invoke a flush of
various exploitable CPU buffers by invoking the x86 VERW instruction.
CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091.
o Restrict user access to virt-admin, virtlogd and virtlockd
The intended users for these facilities are the root user and the libvirtd
service respectively, but these restrictions were not enforced correctly.
Updated libvirt packages fix security vulnerabilities:
An information leak which allowed to retrieve the guest hostname under
readonly mode (CVE-2019-3886).
Wrong permissions in systemd admin-sock due to missing SocketMode parameter
Arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
virDomainManagedSaveDefineXML API exposed to readonly clients
Arbitrary command execution via virConnectGetDomainCapabilities API
Arbitrary command execution via virConnectBaselineHypervisorCPU and
virConnectCompareHypervisorCPU APIs (CVE-2019-10168).
Also, this update contains the libvirt adjustments, that pass through the new
'md-clear' CPU flag, to help address Intel CPU speculative execution flaws.
Updated packages in core/updates_testing:
MGA7TOO, MGA6TOO =>
MGA7-64 Plasma on Lenovo B50
No installation issues, just noted that in the dependencies dnsmasq is included, which makes bind being deinstalled.
Ref to bug 21826 Comment 6 for testing. So installed virt-manager, and run this as a normal user.
No feedback on CLI, application opens which lists QEMU/KVM as a virtual machine, and I can view the details of it.
I can assign a file as storage , but I don't have enough space available on this test partition to install a complete virtual machine.
If that is judged enough testing, I will not object OK'ing.
Side note: I wish there was more consistency in the naming of the packages names, some are libvirt, others lib64virt.
libvirt is the name of the software, and it's an unfortunate choice of name. Things named lib64* are libraries. What would actually be better is if we didn't use the unnecessary lib64 prefix for 64-bit libraries. Maybe someday...