Fedora has issued an advisory on June 16: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D5GE6ISYUL3CIWO3FQRUGMKTKP2NYED2/ The issue is fixed upstream in 6.0.0. We can probably borrow Fedora's patch from Fedora 31.
Assigning to Thierry as the main recent SRPM maintainer.
Assignee: bugsquad => thierry.vignaud
libvirt-5.5.0-1.2.mga7 pushed in mga7 updates_testing
CC: (none) => mageiaAssignee: thierry.vignaud => qa-bugsStatus: NEW => RESOLVEDResolution: (none) => FIXED
Advisory: ======================== Updated libvirt packages fix security vulnerability: A flaw was found in the way the libvirtd daemon issued the 'suspend' command to a QEMU guest-agent running inside a guest, where it holds a monitor job while issuing the 'suspend' command to a guest-agent. A malicious guest-agent may use this flaw to block the libvirt daemon indefinitely, resulting in a denial of service (CVE-2019-20485). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20485 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D5GE6ISYUL3CIWO3FQRUGMKTKP2NYED2/ ======================== Updated packages in core/updates_testing: ======================== libvirt-docs-5.5.0-1.2.mga7 libvirt0-5.5.0-1.2.mga7 libvirt-devel-5.5.0-1.2.mga7 libvirt-utils-5.5.0-1.2.mga7 wireshark-libvirt-5.5.0-1.2.mga7 libnss_libvirt2-5.5.0-1.2.mga7 from libvirt-5.5.0-1.2.mga7.src.rpm
Resolution: FIXED => (none)Status: RESOLVED => REOPENED
Installed and tested without issues. WARNING: The package python3-libvirt-5.5.0-1.mga7 was NOT updated. Please check if this is correct. Host system: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. Guest systems: - Mageia 7, x86_64 - Mageia 8 (cauldron), x86_64 - Windows 10, x86_64 - Windows 7, x86_64 $ uname -a Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep virt.*5.5.0 lib64virt0-5.5.0-1.2.mga7 wireshark-libvirt-5.5.0-1.2.mga7 python3-libvirt-5.5.0-1.mga7 libvirt-utils-5.5.0-1.2.mga7 $ virsh list Id Nome Estado ------------------------------ 1 mageia_8 em execução
CC: (none) => mageia
libvirt wasn't updated either, it was just patched, so there's nothing to update for python-libvirt.
Thanks for the clarification, David. The test in Comment 4 should be sufficient, then. Giving it an OK and validating. Advisory in Comment 3.
Whiteboard: (none) => MGA7-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0283.html
Resolution: (none) => FIXEDStatus: REOPENED => RESOLVED