RedHat has issued an advisory today (June 20): https://rhn.redhat.com/errata/RHSA-2012-0748.html Mageia 1 and Mageia 2 are also affected. It sounds like it was fixed upstream in 0.9.12.
CC: (none) => olavWhiteboard: (none) => MGA2TOO, MGA1TOO
CC: (none) => mageia
CC: (none) => thierry.vignaud
CC: (none) => guillomovitch
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
OpenSuSE has issued an advisory today (August 15): http://lists.opensuse.org/opensuse-updates/2012-08/msg00023.html This fixes a new issue, CVE-2012-3445. from http://lwn.net/Vulnerabilities/511404/
Summary: libvirt new security issue CVE-2012-2693 => libvirt new security issues CVE-2012-2693 and CVE-2012-3445
CC: (none) => oe
RedHat has issued an advisory today (October 11): https://rhn.redhat.com/errata/RHSA-2012-1359.html This fixes a new issue, CVE-2012-4423. from http://lwn.net/Vulnerabilities/519459/
Version: 2 => CauldronSummary: libvirt new security issues CVE-2012-2693 and CVE-2012-3445 => libvirt new security issues CVE-2012-2693, CVE-2012-3445, and CVE-2012-4423Whiteboard: MGA1TOO => MGA2TOO, MGA1TOO
libvirt is also affected by dnsmasq issue CVE-2012-3411. Fedora has issued an advisory on December 18: http://lists.fedoraproject.org/pipermail/package-announce/2013-January/095332.html
Started to take a look at these, cherry-picked patches from the RH package. For CVE-2012-3445 had to rediff, 1 chunk failed but it looks benign to me, line was already what the patch wanted to change (pulled the same patch from git) For CVE-2012-4423 - patch applies clean For CVE-2012-3411 - 3 patches, pulled from git, don't apply clean. If I'm reading the git log correctly, since our dnsmasq supports --bind-dynamic, the last patch should be adequate (it doesn't apply clean either) For CVE-2012-2693 - 3 patches, still need some work, they *don't* apply clean, but a quick look indicates they could be cleaned up. RH/Fedora apply a ton of patches to this package. No more time this evening, in progress src.rpm here if anyone wants to look more at the re-diffs: http://stewbenedict.org/mageia/libvirt-0.9.10-5.1.mga2.src.rpm
CC: (none) => stewbintn
RedHat has issued an advisory on January 28: https://rhn.redhat.com/errata/RHSA-2013-0199.html This fixes a new issue, CVE-2013-0170. from http://lwn.net/Vulnerabilities/534955/
Summary: libvirt new security issues CVE-2012-2693, CVE-2012-3445, and CVE-2012-4423 => libvirt new security issues CVE-2012-2693, CVE-2012-3445, CVE-2012-4423, and CVE-2013-0170
Just FYI, CVE-2013-0170 is fixed in 1.0.2 (Cauldron is currently vulnerable).
CC: (none) => fundawang
CC: (none) => cjw
1.0.2 uploaded in Cauldron by Guillaume, which should fix these in Cauldron. Removing Mageia 1 from the whiteboard due to EOL.
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => (none)
Finally got some time to look at this again. If I read the CVE correctly: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0170 The mga2 version should be exempt from this (0.9.10). For the others: P6, for CVE-2012-3411, doesn't seem to have a context in our version, so I skipped it also. P7-P9 (CVE-2012-2693) do apply, now after a bit of rediff work. Packaqe builds/installs/seems to run. I don't do a lot with usb devices and libvirt, but I was able to add a usb key in virt-manager and have it show up on the client machine. New srpm: http://stewbenedict.org/mageia/libvirt-0.9.10-5.1.mga2.src.rpm
(In reply to comment #8) > Finally got some time to look at this again. > > If I read the CVE correctly: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0170 > > The mga2 version should be exempt from this (0.9.10). I wouldn't assume that. Version information in CVE descriptions is often incomplete. Maybe see if you can find the commit (between 0.9.11.8 and 0.9.11.9) that fixed it. > For the others: > P6, for CVE-2012-3411, doesn't seem to have a context in our version, so I > skipped it also. Those three patches don't look light the right ones to begin with. It looks like they come from further down the line, after libvirt had been changed to use --bind-dynamic, to deal with dnsmasq versions that don't support that option. For us, if our dnsmasq version does support that option, all that detection stuff is overkill anyway and not needed for us, but it does need to use that option in the first place, which our version does not. It looks like the patches you want to start with are the one that adds using the --bind-dynamic option in the first place, but all that capabilities detection stuff in it would not be needed: http://libvirt.org/git/?p=libvirt.git;a=commit;h=753ff83a50263d6975f88d6605d4b5ddfcc97560 and then since that commit removed the --except-interface lo, which turned out to be the wrong thing to do, Fedora has a patch that fixes that: http://pkgs.fedoraproject.org/cgit/libvirt.git/commit/?h=f17&id=d4e5211296a00a0cff32e1a1daaa025002add736 > P7-P9 (CVE-2012-2693) do apply, now after a bit of rediff work. Packaqe > builds/installs/seems to run. I don't do a lot with usb devices and libvirt, > but I was able to add a usb key in virt-manager and have it show up on the > client machine. > > New srpm: > > http://stewbenedict.org/mageia/libvirt-0.9.10-5.1.mga2.src.rpm Thanks for continuing to work on this.
(In reply to David Walser from comment #9) > (In reply to comment #8) > > Finally got some time to look at this again. > > > > If I read the CVE correctly: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0170 > > > > The mga2 version should be exempt from this (0.9.10). > > I wouldn't assume that. Version information in CVE descriptions is often > incomplete. Maybe see if you can find the commit (between 0.9.11.8 and > 0.9.11.9) that fixed it. In fact, if you see RedHat's advisory for this CVE: https://rhn.redhat.com/errata/RHSA-2013-0199.html Their update was for 0.9.10. So you should be able to download their SRPM and get a patch for this from that.
Debian has issued an advisory on March 17: http://www.debian.org/security/2013/dsa-2650 This fixes a new issue, CVE-2013-1766. from http://lwn.net/Vulnerabilities/543282/
Version: 2 => CauldronSummary: libvirt new security issues CVE-2012-2693, CVE-2012-3445, CVE-2012-4423, and CVE-2013-0170 => libvirt new security issues CVE-2012-2693, CVE-2012-3445, CVE-2012-4423, CVE-2013-0170, and CVE-2013-1766Whiteboard: (none) => MGA2TOO
that one looks distro-specific, and related to what user and group libvirtd runs at.
CC: (none) => alien
(In reply to AL13N from comment #12) > that one looks distro-specific, and related to what user and group libvirtd > runs at. Thanks, removing that CVE from the bug title and Cauldron from the version list.
Version: Cauldron => 2Summary: libvirt new security issues CVE-2012-2693, CVE-2012-3445, CVE-2012-4423, CVE-2013-0170, and CVE-2013-1766 => libvirt new security issues CVE-2012-2693, CVE-2012-3445, CVE-2012-4423, and CVE-2013-0170Whiteboard: MGA2TOO => (none)
RedHat has issued an advisory on May 16: https://rhn.redhat.com/errata/RHSA-2013-0831.html This fixes a new issue, CVE-2013-1962. from http://lwn.net/Vulnerabilities/551062/
Version: 2 => CauldronSummary: libvirt new security issues CVE-2012-2693, CVE-2012-3445, CVE-2012-4423, and CVE-2013-0170 => libvirt new security issues CVE-2012-2693, CVE-2012-3445, CVE-2012-4423, CVE-2013-0170, and CVE-2013-1962Whiteboard: (none) => MGA3TOO, MGA2TOO
Depends on: (none) => 10345
(In reply to David Walser from comment #14) > RedHat has issued an advisory on May 16: > https://rhn.redhat.com/errata/RHSA-2013-0831.html > > This fixes a new issue, CVE-2013-1962. > > from http://lwn.net/Vulnerabilities/551062/ Fixed for Mageia 3 and Cauldron by Funda, Bug 10345.
Version: Cauldron => 2Whiteboard: MGA3TOO, MGA2TOO => (none)
Closing this now due to Mageia 2 EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Status: NEW => RESOLVEDResolution: (none) => OLDQA Contact: (none) => security