RedHat has issued an advisory on April 30: https://lwn.net/Articles/971691/ Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/2ca94317ac642a70921947150ced8acc674ccdc8
Source RPM: (none) => libvirt-9.6.0-1.1.mga9.src.rpmStatus comment: (none) => Patch available from upstreamCVE: (none) => CVE-2024-2496
Cauldron is already patched for CVE-2024-2494. Should this CVE (2496) be for Cauldron also? Assigning globally, no one packager in view.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: A NULL pointer dereference flaw was found in the udevConnectListAllInterfaces() function in libvirt. This issue can occur when detaching a host interface while at the same time collecting the list of interfaces via virConnectListAllInterfaces API. This flaw could be used to perform a denial of service attack by causing the libvirt daemon to crash. (CVE-2024-2496) References: https://lwn.net/Articles/971691/ ======================== Updated packages in core/updates_testing: ======================== lib(64)nss_libvirt2-9.6.0-1.2.mga9 lib(64)virt0-9.6.0-1.2.mga9 lib(64)virt-devel-9.6.0-1.2.mga9 libvirt-client-qemu-9.6.0-1.2.mga9 libvirt-docs-9.6.0-1.2.mga9 libvirt-utils-9.6.0-1.2.mga9 mingw32-libvirt-9.6.0-1.2.mga9 mingw64-libvirt-9.6.0-1.2.mga9 wireshark-libvirt-9.6.0-1.2.mga9 from SRPM: libvirt-9.6.0-1.2.mga9.src.rpm
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDStatus comment: Patch available from upstream => (none)
CC: (none) => mageia
Keywords: (none) => advisory
RH mageia 9 x86_64 LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing libvirt-utils-9.6.0-1.2.mga9.x86_64.rpm lib64virt0-9.6.0-1.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: lib64virt0 ################################################################################################## 2/2: libvirt-utils ################################################################################################## 1/2: removing libvirt-utils-9.6.0-1.1.mga9.x86_64 ################################################################################################## 2/2: removing lib64virt0-9.6.0-1.1.mga9.x86_64 ################################################################################################## urpmq --whatrequires-recursive lib64virt0 includes gnome-boxes strace gnome-boxes shows the library is open openat(AT_FDCWD, "/lib64/libvirt.so.0", O_RDONLY|O_CLOEXEC) = 3 The elements of the VM that works before the update works after the update
Installed and tested without issue. Tested: - virt-manager; - virsh; - remote (ssh) and local; - QEMU/KVM nested inside Mageia 9 guest; - qemu:///system; - qemu:///session; - integration with systemd-machined; - virtio video/net/block device drivers; - SPICE viewer; - VNC viewer; - LXC container; - copy & paste to/from guest; - desktop resizing; Tested guests: - Archlinux (LXC container); - Android x86 9.0; - Fedora 39; - Fedora 40; - FreeBSD 14; - Kali Linux; - Mageia 9 x86_64; - Mageia 9 x86_64 with PCI pass through of GPU Radeon RX 6500 XT; - Mageia 9 aarch64; - Mageia Cauldron; - memtest86; - System Rescue 11.00 - Tail 6; - Windows 10; - Windows 11; - Windows Server 2016 Datacenter; System: Mageia 9, x86_64, Plasma DE, LXQt DE, AMD Ryzen 5 5600G with Radeon Graphics. $ uname -a Linux jupiter 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 17:19:36 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep -P 'lib(64)?virt' python3-libvirt-9.1.0-1.mga9 lib64virt-glib1.0_0-4.0.0-5.mga9 lib64virt-glib-gir1.0-4.0.0-5.mga9 lib64virt0-9.6.0-1.2.mga9 libvirt-utils-9.6.0-1.2.mga9
CC: (none) => andrewsfarm
Give OK as the test are the same as in previous round, bug#33047
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0163.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED