[Libvirt-announce] Entering freeze for libvirt-1.2.2
by Daniel Veillard
As planned I tagged a release candidate 1 version in git and made
tarballs and rpms available at the usual place:
ftp://libvirt.org/libvirt/
it seems to work well in my limited testing, but let's spend some time
this week making more tests and checking it compiles on other systems
and architectures.
if all goes well I will probably push the release next week-end,
with an rc2 on Wednesday based on feedback,
thanks !
Daniel
--
Daniel Veillard | Open Source and Standards, Red Hat
veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | virtualization library http://libvirt.org/
10 years, 10 months
[Libvirt-announce] ANNOUNCE: libvirt-glib release 0.1.8
by Daniel P. Berrange
I am pleased to announce that a new release of the libvirt-glib package,
version 0.1.8, is now available from
ftp://libvirt.org/libvirt/glib/
The packages are GPG signed with
Key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF (4096R)
Changes in this release:
- Add getter/setter for UUID in domain config
- Remove dead code / unused variables
- Add missing symbol exports
- Add support for setting nwfilters in domain config
- Switch to standard gobject introspection autotools macros
- Fix typo preventing removal of clock config
- Add getter/setters for disk driver type
- Add unit tests based on glib tap harness
- Add test for validating symbol file exports
- Add getters for domain graphics config params
- Add more getters for domain timer config
- Add support for hpet timer type
- Fix event loop impl on win32
- Fix parent class/object of pit timer class
- Fix misc API doc bugs
- Add more getters for domain clock config
- Fix removal of domain CPU feature flags
- Fix removal of capabilities CPU topology
- Misc fixes to glib event loop integration
libvirt-glib comprises three distinct libraries:
- libvirt-glib - Integrate with the GLib event loop and error handling
- libvirt-gconfig - Representation of libvirt XML documents as GObjects
- libvirt-gobject - Mapping of libvirt APIs into the GObject type system
NB: While libvirt aims to be API/ABI stable forever, with libvirt-glib
we are not yet guaranteeing that libvirt-glib libraries are API/ABI
permanently stable. As of the 0.0.8 release, we have tentatively frozen
the API/ABI with the intent of being longterm stable hereafter, but
there is still a small chance we might find flaws requiring an API/ABI
change. The likelihood of this is low, however, and we will strive to
avoid it.
Follow up comments about libvirt-glib should be directed to the regular
libvir-list(a)redhat.com development list.
Thanks to all the people involved in contributing to this release.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
10 years, 10 months
[Libvirt-announce] LSN-2013-0018: Unsafe usage of paths under /proc/$PID/root by the LXC driver
by Daniel P. Berrange
Libvirt Security Notice: LSN-2013-0018
======================================
Summary: Unsafe usage of paths under /proc/$PID/root by the
LXC driver
Reported on: 20131217
Published on: 20131217
Fixed on: 20140219
Reported by: Reco <recoverym4n(a)gmail.com>
Patched by: Reco <recoverym4n(a)gmail.com>,
Eric Blake <eblake(a)redhat.com>,
Daniel Berrange <berrange(a)redhat.com>
See also: CVE-2013-6456, debian bug #732394
Description
-----------
The LXC driver will open paths under /proc/$PID/root for some
operations it performs on running guests. For the virDomainShutdown
and virDomainReboot APIs it will use this to access the /dev/initctl
path in the container. For the virDomainDeviceAttach /
virDomainDeviceDettach APIs it will use this to create device nodes
in the container's /dev filesystem. If any of the path components
under control of the container are symlinks the container can cause
the libvirtd daemon to access the incorrect files.
Impact
------
A container can cause the administrator to shutdown or reboot the
host OS if /dev/initctl in the container is made to be an absolute
symlink back to itself or /run/initctl. A container can cause the
host administrator to mknod in an arbitrary host directory when
invoking the virDomainDeviceAttach API by replacing '/dev' with an
absolute symlink. A container can cause the host administrator to
delete host device when invoking the virDomainDeviceDettach API by
replacing '/dev' with an absolute symlink.
Workaround
----------
Do not use the virDomainShutdown or virDomainReboot APIs without
also passing the VIR_DOMAIN_SHUTDOWN_SIGNAL or
VIR_DOMAIN_REBOOT_SIGNAL flags respectively. These will cause the
LXC driver to send a SIGTERM or SIGHUP signal respectively, to the
init process instead of using /dev/initct.. Do not use the
virDomainDeviceAttach or virDomainDeviceDetach APIs at all unless
the guest OS is trusted.
Affected product
----------------
Name: libvirt
Repository: git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v1.0.1
Broken in: v1.0.2
Broken in: v1.0.3
Broken in: v1.0.4
Broken in: v1.0.5
Broken in: v1.0.6
Broken in: v1.0.0
Broken in: v1.1.1
Broken in: v1.1.2
Broken in: v1.1.3
Broken in: v1.1.4
Broken in: v1.2.0
Broken in: v1.2.1
Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
Fixed by: aebbcdd33c8c18891f0bdbbf8924599a28152c9c
Fixed by: 4dd3a7d5bc44980135a1b11810ba9aeab42a4a59
Fixed by: 7fba01c15c1f886b4235825692b4c13e88dd9f7b
Fixed by: 1754c7f0ab1407dcf7c89636a35711dd9b1febe1
Fixed by: 1cadeafcaa422844a27ef622e2a7041d0235bcb3
Fixed by: 5fc590ad9f4071350a8df4d567ba88baacc8334d
Branch: v1.0.1-maint
Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
Branch: v1.0.2-maint
Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
Branch: v1.0.3-maint
Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
Branch: v1.0.4-maint
Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
Branch: v1.0.5-maint
Broken in: v1.0.5.1
Broken in: v1.0.5.2
Broken in: v1.0.5.3
Broken in: v1.0.5.4
Broken in: v1.0.5.5
Broken in: v1.0.5.6
Broken in: v1.0.5.7
Broken in: v1.0.5.8
Broken in: v1.0.5.9
Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
Fixed by: f84056cf6166332b1f15f3e6584a88f5d42273fe
Fixed by: 0e9fee68b3bff24e4d3ab48de8129946202f3bc0
Fixed by: 9849cf6d89e5665667a0df449ddc3fd5582da242
Fixed by: 21821ed4d1faf5bf563a26e8ac7cd2eb0450d322
Fixed by: e57058cfe827b1971ca0dee224ff273c9cad7756
Fixed by: e1e7e05376faf1ed471cb5c1d1e0415458f2af7d
Branch: v1.0.6-maint
Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
Fixed by: e9941eee1a3c1cb0af7bc39076eb0e8c2c4eb603
Fixed by: 84cf9af8d9a803f2e12df0b8b0c2bd2de544cf93
Fixed by: f8706947b86e6de2961aacddb5eb2345d9c033b4
Fixed by: 081e0fabfd8c0f5c3f2c869ddcf11710c445a962
Fixed by: b2a853e1f6aea9683a30eafd2b069b8be0fcf898
Fixed by: bd9ec4506e29a9ce682961eee99d0326ed64145d
Branch: v1.1.0-maint
Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
Fixed by: 61c7e0b66e8b37d4ea64024c100d2ed467d5cb47
Fixed by: 43720035b7f4c175ef2594296d874bc1910840b3
Fixed by: 212414281f0001da78f2312d7f52dcf124317fc9
Fixed by: c17dd7ede2affd147ffdc5e8daef85939bda0dd0
Fixed by: ed46a680a02cf96b229a89f74ddbab69522c9ef5
Fixed by: 807db4a30ee903f973d496b3293d9e6aaa511174
Branch: v1.1.1-maint
Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
Fixed by: 6ecb7bc3aed7f60edad5289c9b0cfcf99eee6611
Fixed by: 72a4c29ca72789b13de1ed9cb96df9fb2b0fdde4
Fixed by: 83f83508e128275bd1b74988162dc6b9f86e00ee
Fixed by: 398c88edfaef50b9b59eb2d9a61b07c9c940a661
Fixed by: dd055960df60c536957664f0ae3c591feecf7b09
Fixed by: 14d69bd00e4455a1d174d14c5af73975cf9e904a
Branch: v1.1.2-maint
Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
Fixed by: f639b2d17ce935b650bb2aca7bdd8d727cab8b02
Fixed by: a06bdfcb446f182e490f70422a8431c3bcb2c801
Fixed by: 77ddbad2a9272239a09673c5d6993793308514e9
Fixed by: a6e9270ec79924fabd5a872984bb5d38eaf3df8a
Fixed by: eae2a2ada81c5828991bb1b9438f7556a7e51ce8
Fixed by: 21368274a9aa91e8a5f0addb3a6bba8dad91e334
Branch: v1.1.3-maint
Broken in: v1.1.3.1
Broken in: v1.1.3.2
Broken in: v1.1.3.3
Fixed in: v1.1.3.4
Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
Fixed by: a3a3cfcb7c400bcde198b5b929ff2d4f889dee78
Fixed by: cb016b9ef1a6d786657a98546db8412f86510367
Fixed by: 72e379ed93b4707e26bbc5e3457a85833f50eb1a
Fixed by: fcf05c194cb1cca6b5c703073b97ed1408a2c546
Fixed by: d5c0b57fffbe651c425b4de6c11712030cce7e7e
Fixed by: fef343339127b989746214b86901553da6d17863
Branch: v1.1.4-maint
Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
Fixed by: 28681077373f1fa567b7f56117a22047f90925fe
Fixed by: 0e931dfcda308fbb84eef42bc92e257e39af083d
Fixed by: 3101022b4d4fee46916b87b1c21a3956a91d94b2
Fixed by: 1d1daaf58677cfa843b6891a98dc6cdb42116434
Fixed by: 80f57ec4224af65392db09fb8f47be7434e2fc86
Fixed by: ba4065b6f64fca7706070b8458fdf0bc06115b9b
Branch: v1.2.0-maint
Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
Fixed by: 3e97a53caa9adddd47da1c22dbed81ef2e02f735
Fixed by: 17188260657e095f5d210bc73ba1661875a8f885
Fixed by: 70665ec5f2cd910666bc703727dc6d7c15efe7bf
Fixed by: 3f43a7727ac068de8aac6b9c030b38fb3cb1426d
Fixed by: cd48d62aca488a116b47073be2607653a1d3305e
Fixed by: 8fca7a4fa6b40d21723008d2092536349f20517d
Branch: v1.2.1-maint
Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
Fixed by: 8b546028f901dc414463678574ceabbacc37c4cb
Fixed by: b0ed2d94ace3c57198ce7b4793f906abf5397e36
Fixed by: ee1269eecd3566729f3909db624f7ebd7bf1b84a
Fixed by: b9997828231b3492252cb6d9a0ad4f3dc522791e
Fixed by: 51a897a22e1c031edd46fd077487a2f8e649cb9f
Fixed by: ad52184399aa414fa3d7e2756e4ea6a45ec0d3a3
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
10 years, 10 months
[Libvirt-announce] ANNOUNCE: libvirt 1.1.3.4 maintenance release
by Cole Robinson
libvirt 1.1.3.4 maintenance release is now available. This is
libvirt 1.1.3 with additional bugfixes that have accumulated
upstream since the initial release.
This release can be downloaded at:
http://libvirt.org/sources/stable_updates/libvirt-1.1.3.4.tar.gz
Changes in this version:
* CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC hotunplug
code
* CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC chardev
hostdev hotplug
* CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC block
hostdev hotplug
* CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC USB hotplug
* CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC disk hotplug
* CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC
shutdown/reboot code
* Add helper for running code in separate namespaces
* Add virFileMakeParentPath helper function
* Move check for cgroup devices ACL upfront in LXC hotplug
* Disks are always block devices, never character devices
* Fix reset of cgroup when detaching USB device from LXC guests
* Record hotplugged USB device in LXC live guest config
* Fix path used for USB device attach with LXC
* Don't block use of USB with containers
* storage: avoid short reads while chasing backing chain
* event: move event filtering to daemon (regression fix)
* Push nwfilter update locking up to top level
* Add a read/write lock implementation
* tests: Add more tests for virConnectBaselineCPU
* cpu: Try to use source CPU model in virConnectBaselineCPU
* cpu: Fix VIR_CONNECT_BASELINE_CPU_EXPAND_FEATURES
* tests: Better support for VIR_CONNECT_BASELINE_CPU_EXPAND_FEATURES
* qemu: Change the default unix monitor timeout
For info about past maintenance releases, see:
http://wiki.libvirt.org/page/Maintenance_Releases
Thanks,
Cole
10 years, 10 months
