[Libvirt-announce] ANNOUNCE: libvirt 1.1.3.8 maintenance release
by Cole Robinson
libvirt 1.1.3.8 maintenance release is now available. This is
libvirt 1.1.3 with additional bugfixes that have accumulated
upstream since the initial release.
This release can be downloaded at:
http://libvirt.org/sources/stable_updates/libvirt-1.1.3.8.tar.gz
I originally release 1.1.3.7, but then when I attempted to rebuild it I hit a
compile error. Really not sure why it didn't hit me during before. So 1.1.3.8
is a brown paper bag release.
Changes in version 1.1.3.7:
* CVE-2014-7823: dumpxml: security hole with migratable flag
* node_device_udev: Try harder to get human readable vendor:product
* tests: don't fail with newer gnutls
* Fix crash in virsystemdtest with dbus 1.7.6
* domain_conf: fix domain deadlock
* CVE-2014-3633: qemu: blkiotune: Use correct definition when looking up
disk
Changes in version 1.1.3.8:
* tests: Fix compilation
For info about past maintenance releases, see:
http://wiki.libvirt.org/page/Maintenance_Releases
Thanks,
Cole
9 years, 6 months
[Libvirt-announce] ANNOUNCE: libvirt 1.2.9.1 maintenance release
by Cole Robinson
libvirt 1.2.9.1 maintenance release is now available. This is
libvirt 1.2.9 with additional bugfixes that have accumulated
upstream since the initial release.
This release can be downloaded at:
http://libvirt.org/sources/stable_updates/libvirt-1.2.9.1.tar.gz
Changes in this version:
* qemu: Don't try to parse -help for new QEMU
* qemu: Always set migration capabilities
* nwfilter: fix deadlock caused updating network device and nwfilter
* qemuPrepareNVRAM: Save domain conf only if domain's persistent
* Do not crash on gluster snapshots with no host name
* Display nicer error message for unsupported chardev hotplug
* Fix virDomainChrEquals for spicevmc
* qemu: Update fsfreeze status on domain state transitions
* network: fix call virNetworkEventLifecycleNew when networkStartNetwork
fail
* Require at least one console for LXC domain
* Do not probe for power mgmt capabilities in lxc emulator
* util: fix releasing pidfile in cleanup
* qemu: stop NBD server after successful migration
* qemu: make sure capability probing process can start
* util: Introduce virPidFileForceCleanupPath
* qemu: make advice from numad available when building commandline
* qemu: Release nbd port from migrationPorts instead of remotePorts
* qemu: better error message when block job can't succeed
* test: Add test to verify helpers used for backing file name parsing
* storage: Fix crash when parsing backing store URI with schema
* remote: fix jump depends on uninitialised value
* qemu_agent: Produce more readable error messages
* qemu: forbid snapshot-delete --children-only on external snapshot
* tests: Add SELINUX_LIBS to fix viridentitytest linker bug
* qemu: migration: Make check for empty hook XML robust
* qemu: restore: Fix restoring of VM when the restore hook returns empty
XML
* util: string: Add helper to check whether string is empty
* virsh: domain: Use global constant for XML file size limit
* qemu: Fix hot unplug of SCSI_HOST device
* qemu: unref cfg after TerminateMachine has been called
* Add virCgroupTerminateMachine stub
* qemu: use systemd's TerminateMachine to kill all processes
* util: Prepare URI formatting for libxml2 >= 2.9.2
* security_selinux: Don't relabel /dev/net/tun
* util: eliminate "use after free" in callers of virNetDevLinkDump
* CVE-2014-7823: dumpxml: security hole with migratable flag
* qemu: x86_64 is good enough for i686
* qemu: Don't compare CPU against host for TCG
* qemu_command: Split qemuBuildCpuArgStr
For info about past maintenance releases, see:
http://wiki.libvirt.org/page/Maintenance_Releases
Thanks,
Cole
9 years, 6 months
[Libvirt-announce] LSN-2014-0007: CVE-2014-7823 virDomainGetXMLDesc leaks VNC passwords
by Eric Blake
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Libvirt Security Notice: LSN-2014-0007
======================================
Summary: virDomainGetXMLDesc leaks VNC passwords
Reported on: 20141031
Published on: 20141105
Fixed on: 20141106
Reported by: Eric Blake <eblake(a)redhat.com>
Patched by: Eric Blake <eblake(a)redhat.com>
See also: CVE-2014-7823
Description
- -----------
At the time the VIR_DOMAIN_XML_MIGRATABLE flag was added to the
virDomainGetXMLDesc API, the qemu implementation chose to make the
flag always imply the VIR_DOMAIN_XML_SECURE flag. The secure flag
had been previously deemed unsafe to use from a read-only
connection; however, because the new migratable flag is not
restricted against use by read-only clients, a client can use the
new flag to bypass the restrictions placed on the use of the old
flag.
Impact
- ------
A read-only client can trigger an information leak of data that
should normally require the use of VIR_DOMAIN_XML_SECURE to access.
Fortunately, the only data in this category is the value of an
optional VNC password.
Workaround
- ----------
VNC passwords are notoriously weak (they are capped at an 8 byte
maximum length; the VNC protocol sends them in plaintext over the
network; and FIPS mode execution prohibits the use of a VNC
password), so it is recommended that users not create domains with a
VNC password in the first place. Domains that do not use VNC
passwords do not suffer from information leaks; the use of SPICE
connections is recommended not only because it avoids the leak, but
also because SPICE provides better features than VNC for a guest
graphics device. It is also possible to prevent the leak by denying
access to read-only clients; for builds of libvirt that support
fine-grained ACLs, this course of action requires ensuring that no
user is granted the 'read' ACL privilege without also having the
'read_secure' privilege.
Affected product
- ----------------
Name: libvirt
Repository: git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v1.0.0
Broken in: v1.0.1
Broken in: v1.0.2
Broken in: v1.0.3
Broken in: v1.0.4
Broken in: v1.0.5
Broken in: v1.0.6
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Broken in: v1.1.3
Broken in: v1.1.4
Broken in: v1.2.0
Broken in: v1.2.1
Broken in: v1.2.2
Broken in: v1.2.3
Broken in: v1.2.4
Broken in: v1.2.5
Broken in: v1.2.6
Broken in: v1.2.7
Broken in: v1.2.8
Broken in: v1.2.9
Broken in: v1.2.10
Fixed in: v1.2.11
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b
Branch: v1.0.2-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 7b334c1660e926da7c0644c945263ce40a80443f
Branch: v1.0.3-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 220c6b867ca81f9027a7da54d5bc44b43c742d2a
Branch: v1.0.4-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 3b7ce055e37e92c34090fcfcc0b6eaa860aa94a9
Branch: v1.0.5-maint
Broken in: v1.0.5.1
Broken in: v1.0.5.2
Broken in: v1.0.5.3
Broken in: v1.0.5.4
Broken in: v1.0.5.5
Broken in: v1.0.5.6
Broken in: v1.0.5.7
Broken in: v1.0.5.8
Broken in: v1.0.5.9
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 107f1ff20edc805433cade910a00328158b1c231
Branch: v1.0.6-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 333c95c9f3fb1e3c42b37f79b7f186511e8f8264
Branch: v1.1.0-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 3d751cdcdbfac95b4a39a7db1b6e12e20838cb65
Branch: v1.1.1-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: f8c771335998f4d7a91b03c11526d819ee470dfc
Branch: v1.1.2-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 520ecab4ca09859d4de39cad7ae2e34272e0437e
Branch: v1.1.3-maint
Broken in: v1.1.3.1
Broken in: v1.1.3.2
Broken in: v1.1.3.3
Broken in: v1.1.3.4
Broken in: v1.1.3.5
Broken in: v1.1.3.6
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: bdbcf66ae72f82d45faa889a1208444f83f5756b
Branch: v1.1.4-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 4e3856c06a3362a17a5aff0b59c4bfffbd97d105
Branch: v1.2.0-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 757292bfb33b610daff0936d2205a90d5d787a1a
Branch: v1.2.1-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 3adae530f549448cecfb6212a2e48bf4b04931bd
Branch: v1.2.2-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: bd78e6f6362d2484b931f112506dfde9d053fcde
Branch: v1.2.3-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 2a924d876c146913b5309c5919900f29b2850012
Branch: v1.2.4-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 8c083ff081dfd6b3e6ed2053e98c8bdd780db834
Branch: v1.2.5-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 2cfd147c49d696a3641145ac8edb9e49a85a515d
Branch: v1.2.6-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 59fff7ff9866227f4be3224bac581e95f3c53bb1
Branch: v1.2.7-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 0ea4cd2f4a5b87647a6ebf13038049badd3222c8
Branch: v1.2.8-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: c7500ce36fc4654c41e92a8194771122110a3e66
Branch: v1.2.9-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 744ddb15e0feaf2d6603a88dc8ffc3a7eb0a452d
Branch: v1.2.10-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 11219f40f3d6132de7cf72287f136bae3747ad53
- --
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
iQEcBAEBCAAGBQJUYQl6AAoJEKeha0olJ0NqioEH/jsMB2X5/nscAYiLytJ6jrJc
lgpmkuli0elYFlpdcj2aar0WsK2RQv9chuasc5Y4hWDslYhzPGkVBkTHceAbds3l
OAhotaob3NBhFGM9p5xoTCDKWTCGVkiSOOUFTyK5amDpUiA0AkHA7B8y1pA0kAY7
+rmXLUQtDcUCEpi7hZgD/9P3cD9CnVpNCBP6m0vUJoWPmyC+KzgETdfuqlRpmD1h
l0a/fGpaPXZkIaaomyGniimffFyxHZVlHnJHC9BBnVnCtBC/G1n2yUJmqBYTDIPd
C6UKZ78/kkOtRfdjVxGlR8USXEIINW+nvYPjVGcUL+zf0H0FE2wEZ5UGie6pfMs=
=6rpO
-----END PGP SIGNATURE-----
9 years, 6 months
[Libvirt-announce] Release of libvirt-python-1.2.10
by Daniel Veillard
I tagged and pushed a new version of libvirt-python,
it is available at:
ftp://libvirt.org/libvirt/python
it handle the new header split in libvirt-1.2.10 and fixes a
number of issues:
Documentation:
d Change the comment in getPyNodeCPUCount method reflecting correct called methods (Pradipta Kr. Banerjee)
Bug Fixes:
b virDomainBlockCopy: initialize flags to 0 (Pavel Hrdina)
b flags cannot get right value for blockCopy function (Pavel Hrdina)
b Fix rest of unsigned integer handling (Peter Krempa)
b Fix parsing of 'flags' argument for bulk stats functions (Luyao Huang)
b Fix function name when parsing arguments in libvirt_virNodeAllocPages (Peter Krempa)
Improvements:
i fix libvirt headers list (Dmitry Guryanov)
i Improve error output when use getTime with a nonzero flags. (Luyao Huang)
i setup.py: fix rpm build to return 1 on error (Pavel Hrdina)
i sanitytest: define long for python version >= 3 (Martin Kletzander)
i sanitytest: count with the fact that large enums can be long (Martin Kletzander)
i sanitytest: check for exported enums (Martin Kletzander)
Thanks everybody who contributed to this release !
Daniel
--
Daniel Veillard | Open Source and Standards, Red Hat
veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | virtualization library http://libvirt.org/
9 years, 6 months