Ubuntu has issued an advisory today (August 4): https://ubuntu.com/security/notices/USN-4452-1 Their fix is to src/remote/libvirtd.socket.in, changing SocketMode=0666 to: SocketMode=0660 SocketUser=root SocketGroup=libvirt
SUSE has issued an advisory for this on October 26: https://lists.suse.com/pipermail/sle-security-updates/2020-October/007626.html
openSUSE has issued an advisory for this today (October 31): https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00073.html
SUSE noted that 0666 is the correct mode if polkit auth is enabled, which it is by default in SUSE and Mageia. SUSE added a patch to the config (where the auth mode can be changed) to note that if the auth mode is changed, the libvirtd.socket file needs to be changed: https://build.opensuse.org/package/view_file/openSUSE:Leap:15.2:Update/libvirt/b196f8fc-CVE-2020-15708-doc.patch?expand=1 We should do the same.
Status comment: (none) => Patch available from openSUSE
added in our cauldron package
Resolution: (none) => FIXEDCC: (none) => mageiaStatus: NEW => RESOLVED