[Libvirt-announce] LSN-2019-0007: virConnect*HypervisorCPU do not check for read-only connection
by Ján Tomko
Libvirt Security Notice: LSN-2019-0007
======================================
Summary: virConnect*HypervisorCPU do not check for
read-only connection
Reported on: 20190604
Published on: 20190620
Fixed on: 20190620
Reported by: Ján Tomko <jtomko(a)redhat.com>
Patched by: Ján Tomko <jtomko(a)redhat.com>
See also: CVE-2019-10168
Description
-----------
The virConnect*HypervisorCPU APIs allow reporting CPU capabilities
from arbitrary emulator binaries without checking for a read-only
connection. This allows unprivileged users to execute arbitrary
binaries with elevated privileges.
Impact
------
The default libvirt configuration allows all local user accounts
read-only access to the libvirtd daemon. Any local user can provide
an arbitrary emulator, executing arbitrary binaries as the
configured QEMU user. Since v5.1.0, the emulator binary is run with
CAP_DAC_OVERRIDE, essentially having root privileges.
Workaround
----------
Edit the /etc/libvirt/libvirtd.conf configuration file, to set the
'unix_sock_ro_perms = "0700"' to prevent local users from connecting
to libvirt. Alternatively setup a policy kit rule to prevent them
access without first authenticating as root.
Affected product
----------------
Name: libvirt
Repository: git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v4.4.0
Broken in: v4.5.0
Broken in: v4.6.0
Broken in: v4.7.0
Broken in: v4.8.0
Broken in: v4.9.0
Broken in: v4.10.0
Broken in: v5.0.0
Broken in: v5.1.0
Broken in: v5.2.0
Broken in: v5.3.0
Broken in: v5.4.0
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: bf6c2830b6c338b1f5699b095df36f374777b291
Branch: v4.4-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: a6116fc8618300f6e2a082396812363310d1420f
Branch: v4.5-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: 415cc5c0644304fd1e1bb721a092cf65e07be79f
Branch: v4.6-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: 890965e8943a8837b41c3c6f366135ccfef48fb3
Branch: v4.7-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: f5ace9c05d59b70d4899199a187cb32ec6f600d8
Branch: v4.8-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: fc30929ffdf339d920b2e2183faf4373920bff6f
Branch: v4.9-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: dd88b69a207c1ed6e89d7e9fa6b5f4a9ec4db97c
Branch: v4.10-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: 09c2635d0deec198de0f250abc2958f2d1c09eaa
Branch: v5.0-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: 1ef98539a655109480628c91feac48c3c69675ef
Branch: v5.1-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: 2a3f95a40725f743b5189868bcc1a78d922517f6
Branch: v5.1.0-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Branch: v5.2-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: 45ae5e529d4e886f47dacca9dfe5a08d95a3425a
Branch: v5.3-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: d8e4d13446a0b04b757bd28c242a4cfecaaa8f1e
5 years, 5 months
[Libvirt-announce] LSN-2019-0006: virConnectGetDomainCapabilities does not check for read-only connection
by Ján Tomko
Libvirt Security Notice: LSN-2019-0006
======================================
Summary: virConnectGetDomainCapabilities does not check for
read-only connection
Reported on: 20190604
Published on: 20190620
Fixed on: 20190620
Reported by: Ján Tomko <jtomko(a)redhat.com>
Patched by: Ján Tomko <jtomko(a)redhat.com>
See also: CVE-2019-10167
Description
-----------
The virConnectGetDomainCapabilities API reports the domain
capabilities XML without checking for a read-only connection. This
allows unprivileged users to execute arbitrary binaries with
elevated privileges.
Impact
------
The default libvirt configuration allows all local user accounts
read-only access to the libvirtd daemon. Any local user can provide
an arbitrary emulator, executing arbitrary binaries as the
configured QEMU user. Since v5.1.0, the emulator binary is run with
CAP_DAC_OVERRIDE, essentially having root privileges.
Workaround
----------
Edit the /etc/libvirt/libvirtd.conf configuration file, to set the
'unix_sock_ro_perms = "0700"' to prevent local users from connecting
to libvirt. Alternatively setup a policy kit rule to prevent them
access without first authenticating as root.
Affected product
----------------
Name: libvirt
Repository: git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v1.2.19
Broken in: v1.2.20
Broken in: v1.2.21
Broken in: v1.3.0
Broken in: v1.3.1
Broken in: v1.3.2
Broken in: v1.3.3
Broken in: v1.3.4
Broken in: v1.3.5
Broken in: v2.0.0
Broken in: v2.1.0
Broken in: v2.2.0
Broken in: v2.3.0
Broken in: v2.4.0
Broken in: v2.5.0
Broken in: v3.0.0
Broken in: v3.1.0
Broken in: v3.2.0
Broken in: v3.3.0
Broken in: v3.4.0
Broken in: v3.5.0
Broken in: v3.6.0
Broken in: v3.7.0
Broken in: v3.8.0
Broken in: v3.9.0
Broken in: v3.10.0
Broken in: v4.0.0
Broken in: v4.1.0
Broken in: v4.2.0
Broken in: v4.3.0
Broken in: v4.4.0
Broken in: v4.5.0
Broken in: v4.6.0
Broken in: v4.7.0
Broken in: v4.8.0
Broken in: v4.9.0
Broken in: v4.10.0
Broken in: v5.0.0
Broken in: v5.1.0
Broken in: v5.2.0
Broken in: v5.3.0
Broken in: v5.4.0
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 8afa68bac0cf99d1f8aaa6566685c43c22622f26
Branch: v1.2.19-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 7d3b95b03880c8ade5f908dcb3d3c8b2d8e82a8f
Branch: v1.2.20-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: c5cc88c32320d46f27521aac69027baa3d426ff2
Branch: v1.2.21-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: badcb3662a5b28d3ed01c8ceff496e6197d12e3c
Branch: v1.3.0-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 6ba6bb236a7e293007eb21013d69f42dd1fb21c8
Branch: v1.3.1-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: be5d96d547ec54bc35e5eab6472ec900184ae837
Branch: v1.3.2-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: e433008df4867b43085961a0f8181ac9401e707b
Branch: v1.3.3-maint
Broken in: v1.3.3.1
Broken in: v1.3.3.2
Broken in: v1.3.3.3
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: a663e28410aa853675b8b090a1ffafa7c8711ead
Branch: v1.3.4-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: ab728b5658b307bcde90cf9e9d2e9c2cfb3e9de0
Branch: v1.3.5-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 5632ca00ef8b75ce600ebb7255d392339c07b967
Branch: v2.0-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 1e51b78a92fa2b381a5741599f4909c2516c0481
Branch: v2.1-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: e322b6f73dc2fb5eaab14406cc786361d17ffdc3
Branch: v2.2-maint
Broken in: v2.2.1
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: c97b296cf8b336ed1a3260af8c8bd79746cb2971
Branch: v3.0-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: bfea7de821a224782253061309e5005486b1b2f6
Branch: v3.2-maint
Broken in: v3.2.1
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 452fa3ae558bc842a88753fcdf0d1141a2fd212c
Branch: v3.7-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: d47a396e995180fd54a0f84cf137f024159b7967
Branch: v4.1-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 585be8edbef5ce4ef30e6c20386358ca1ba8e344
Branch: v4.2-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 4ce590b007d80b41abd00aba95f73c04e71ff53b
Branch: v4.3-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: f9b65fa812f6f121b7c5f5daa642f05310b4123c
Branch: v4.4-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 15502d85dd21d7badeb230285898fa28f67cba9d
Branch: v4.5-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: fd16bd525afeac6870ab3b747d9ee16002e2f1b2
Branch: v4.6-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 93edb0ea630556569320de83d45b100718f1391f
Branch: v4.7-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 5441f05a42a90779b0df86518286bf527e94aafb
Branch: v4.8-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 38a16f786794887cb2fd8e82d4b52e07a77d9f50
Branch: v4.9-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 6452b9fdff7988024a6157ca0a973ac3abf54468
Branch: v4.10-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: d238f132e6e0432a42d3cdff4571730dae3a85eb
Branch: v5.0-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 58f237d696310f3ac62e98b3b5e9cb98e13064e9
Branch: v5.1-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: c5085b7a9031f899c7bef0d2630aa77c461b92a6
Branch: v5.1.0-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Branch: v5.2-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 4f50f36c0004af0faf0f535b46e2a1841c2443d8
Branch: v5.3-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 97a737c58ff6080bd0e149830b860ef32b3d2acb
5 years, 5 months
[Libvirt-announce] LSN-2019-0005: virDomainManagedSaveDefineXML does not check for read-only connection
by Ján Tomko
Libvirt Security Notice: LSN-2019-0005
======================================
Summary: virDomainManagedSaveDefineXML does not check for
read-only connection
Reported on: 20190604
Published on: 20190620
Fixed on: 20190620
Reported by: Matthias Gerstner <mgerstner(a)suse.de>
Patched by: Ján Tomko <jtomko(a)redhat.com>
See also: CVE-2019-10166
Description
-----------
The virDomainManagedSaveDefineXML API redefines the manage-saved
domain XML without checking for a read-only connection. This allows
unprivileged users to check for existence of arbitrary files or
executing arbitrary binaries with elevated privileges.
Impact
------
The default libvirt configuration allows all local user accounts
read-only access to the libvirtd daemon. Any local user can provide
an arbitrary emulator, executing arbitrary binaries as the
configured QEMU user. Since v5.1.0, the emulator binary is run with
CAP_DAC_OVERRIDE, essentially having root privileges.
Workaround
----------
Edit the /etc/libvirt/libvirtd.conf configuration file, to set the
'unix_sock_ro_perms = "0700"' to prevent local users from connecting
to libvirt. Alternatively setup a policy kit rule to prevent them
access without first authenticating as root.
Affected product
----------------
Name: libvirt
Repository: git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v3.7.0
Broken in: v3.8.0
Broken in: v3.9.0
Broken in: v3.10.0
Broken in: v4.0.0
Broken in: v4.1.0
Broken in: v4.2.0
Broken in: v4.3.0
Broken in: v4.4.0
Broken in: v4.5.0
Broken in: v4.6.0
Broken in: v4.7.0
Broken in: v4.8.0
Broken in: v4.9.0
Broken in: v4.10.0
Broken in: v5.0.0
Broken in: v5.1.0
Broken in: v5.2.0
Broken in: v5.3.0
Broken in: v5.4.0
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: db0b78457f183e4c7ac45bc94de86044a1e2056a
Branch: v3.7-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: e7d9c8899fc7751201b46b6cf6bff4eadb38af2f
Branch: v4.1-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: d9a1f3debad411756f53ab8ab81e44ab0bb50e0a
Branch: v4.2-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 1813138f6b00058285e325191d50c41ace39e5b3
Branch: v4.3-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 9816854ac4e5ccd87cf82320b4550671e75f6509
Branch: v4.4-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: e777cce08e069e29deedec540d463ed70c29e92c
Branch: v4.5-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: d025c10d54975fe98927be85f33146e780c28d52
Branch: v4.6-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 00e673c93fc3d0cfed274cc7a1ec2c52260c8262
Branch: v4.7-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 6da721ea37bf3624ff9922637cfa657d2dcb20f9
Branch: v4.8-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 6dc29a174ae204b1ae13fed0f533818ad6d24b9f
Branch: v4.9-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 0a744e15517d727c7f473fabe32ca6b0dbb7b7d1
Branch: v4.10-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 3f744efec31959f7643849f6a3708198bcdfc6ae
Branch: v5.0-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: a064d492272bcb0029b140ec4e18fce1ac0ec5b2
Branch: v5.1-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 58c7c3fc4a0f15544c2054ed4682ff5d740681ab
Branch: v5.1.0-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Branch: v5.2-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 96bca3af450cc62183b91a361f7024f93126bc49
Branch: v5.3-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: f4dabe99f7f46520f2967f3e068fcbeb54e617df
5 years, 5 months
[Libvirt-announce] LSN-2019-0004 virDomainSaveImageGetXMLDesc does not check for read-only connection
by Ján Tomko
Libvirt Security Notice: LSN-2019-0004
======================================
Summary: virDomainSaveImageGetXMLDesc does not check for
read-only connection
Reported on: 20190604
Published on: 20190620
Fixed on: 20190620
Reported by: Matthias Gerstner <mgerstner(a)suse.de>
Patched by: Ján Tomko <Ján Tomko>
See also: CVE-2019-10161
Description
-----------
The virDomainSaveImageGetXMLDesc accesses and parses arbitrary files
without checking for the read-only connection. This allows
unprivileged users to check for existence of arbitrary files or
executing arbitrary binaries with elevated privileges.
Impact
------
The default libvirt configuration allows all local user accounts
read-only access to the libvirtd daemon. Any local user can check
for the existence of an arbitrary file by watching for a different
error message. Additionally, since v1.2.19, by providing a crafted
save file pointing to an arbitrary emulator, executing arbitrary
binaries as the configured QEMU user is possible. Since v5.1.0, the
emulator binary is run with CAP_DAC_OVERRIDE, essentially having
root privileges.
Workaround
----------
Edit the /etc/libvirt/libvirtd.conf configuration file, to set the
'unix_sock_ro_perms = "0700"' to prevent local users from connecting
to libvirt. Alternatively setup a policy kit rule to prevent them
access without first authenticating as root.
Affected product
----------------
Name: libvirt
Repository: git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v0.9.4
Broken in: v0.9.5
Broken in: v0.9.6
Broken in: v0.9.7
Broken in: v0.9.8
Broken in: v0.9.9
Broken in: v0.9.10
Broken in: v0.9.11
Broken in: v0.9.12
Broken in: v0.9.13
Broken in: v0.10.0
Broken in: v0.10.1
Broken in: v0.10.2
Broken in: v1.0.0
Broken in: v1.0.1
Broken in: v1.0.2
Broken in: v1.0.3
Broken in: v1.0.4
Broken in: v1.0.5
Broken in: v1.0.6
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Broken in: v1.1.3
Broken in: v1.1.4
Broken in: v1.2.0
Broken in: v1.2.1
Broken in: v1.2.2
Broken in: v1.2.3
Broken in: v1.2.4
Broken in: v1.2.5
Broken in: v1.2.6
Broken in: v1.2.7
Broken in: v1.2.8
Broken in: v1.2.9
Broken in: v1.2.10
Broken in: v1.2.11
Broken in: v1.2.12
Broken in: v1.2.13
Broken in: v1.2.14
Broken in: v1.2.15
Broken in: v1.2.16
Broken in: v1.2.17
Broken in: v1.2.18
Broken in: v1.2.19
Broken in: v1.2.20
Broken in: v1.2.21
Broken in: v1.3.0
Broken in: v1.3.1
Broken in: v1.3.2
Broken in: v1.3.3
Broken in: v1.3.4
Broken in: v1.3.5
Broken in: v2.0.0
Broken in: v2.1.0
Broken in: v2.2.0
Broken in: v2.3.0
Broken in: v2.4.0
Broken in: v2.5.0
Broken in: v3.0.0
Broken in: v3.1.0
Broken in: v3.2.0
Broken in: v3.3.0
Broken in: v3.4.0
Broken in: v3.5.0
Broken in: v3.6.0
Broken in: v3.7.0
Broken in: v3.8.0
Broken in: v3.9.0
Broken in: v3.10.0
Broken in: v4.0.0
Broken in: v4.1.0
Broken in: v4.2.0
Broken in: v4.3.0
Broken in: v4.4.0
Broken in: v4.5.0
Broken in: v4.6.0
Broken in: v4.7.0
Broken in: v4.8.0
Broken in: v4.9.0
Broken in: v4.10.0
Broken in: v5.0.0
Broken in: v5.1.0
Broken in: v5.2.0
Broken in: v5.3.0
Broken in: v5.4.0
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: aed6a032cead4386472afb24b16196579e239580
Branch: v0.9.6-maint
Broken in: v0.9.6.1
Broken in: v0.9.6.2
Broken in: v0.9.6.3
Broken in: v0.9.6.4
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v0.9.11-maint
Broken in: v0.9.11.1
Broken in: v0.9.11.2
Broken in: v0.9.11.3
Broken in: v0.9.11.4
Broken in: v0.9.11.5
Broken in: v0.9.11.6
Broken in: v0.9.11.7
Broken in: v0.9.11.8
Broken in: v0.9.11.9
Broken in: v0.9.11.10
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v0.9.12-maint
Broken in: v0.9.12.1
Broken in: v0.9.12.2
Broken in: v0.9.12.3
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v0.10.2-maint
Broken in: v0.10.2.1
Broken in: v0.10.2.2
Broken in: v0.10.2.3
Broken in: v0.10.2.4
Broken in: v0.10.2.5
Broken in: v0.10.2.6
Broken in: v0.10.2.7
Broken in: v0.10.2.8
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.0.0-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.0.1-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.0.2-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.0.3-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.0.4-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.0.5-maint
Broken in: v1.0.5.1
Broken in: v1.0.5.2
Broken in: v1.0.5.3
Broken in: v1.0.5.4
Broken in: v1.0.5.5
Broken in: v1.0.5.6
Broken in: v1.0.5.7
Broken in: v1.0.5.8
Broken in: v1.0.5.9
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.0.6-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.1.0-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.1.1-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.1.2-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.1.3-maint
Broken in: v1.1.3.1
Broken in: v1.1.3.2
Broken in: v1.1.3.3
Broken in: v1.1.3.4
Broken in: v1.1.3.5
Broken in: v1.1.3.6
Broken in: v1.1.3.7
Broken in: v1.1.3.8
Broken in: v1.1.3.9
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.1.4-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.0-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.1-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.2-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.3-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.4-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.5-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.6-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.7-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.8-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.9-maint
Broken in: v1.2.9.1
Broken in: v1.2.9.2
Broken in: v1.2.9.3
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.10-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.11-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.12-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.13-maint
Broken in: v1.2.13.1
Broken in: v1.2.13.2
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.14-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.15-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.16-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.17-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.18-maint
Broken in: v1.2.18.1
Broken in: v1.2.18.2
Broken in: v1.2.18.3
Broken in: v1.2.18.4
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v1.2.19-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 4e16e7a3fc44a14f27eda23e75bae75992339b3a
Branch: v1.2.20-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 99ac102b8310adf50d16b62c533405eee6544cf2
Branch: v1.2.21-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: fa2016e751452163aa2e93baa6c9bfc239e31885
Branch: v1.3.0-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 470d6f5546fd027f9945845f6aad72f33c829be9
Branch: v1.3.1-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 980109c41c8bb55fd105809f2e063667721feaea
Branch: v1.3.2-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 221397df7a5164bcc4d28f3157867db4894000d3
Branch: v1.3.3-maint
Broken in: v1.3.3.1
Broken in: v1.3.3.2
Broken in: v1.3.3.3
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: b22baef31258621b3bdb5036a84772bc6b6ec0a4
Branch: v1.3.4-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: a8ae178438be285b91c4871251ad1482c4e396df
Branch: v1.3.5-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 70e83151456d386580708ade404ada41afac41dd
Branch: v2.0-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: a9e40f23207f464c322f4250b1373ff50ca71a85
Branch: v2.1-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: dea40b42188e883c4118b02527f5c02a6fbbac59
Branch: v2.2-maint
Broken in: v2.2.1
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 97829dcb3889fd0a64ff32a72710303f59d7d5bf
Branch: v3.0-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: fb8c9f1305d108e5a43e83b72a86e41abfdeda86
Branch: v3.2-maint
Broken in: v3.2.1
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: ff5c64b94133b7b54e7359c63e1c2972531a4f5f
Branch: v3.7-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 8cf159fed436634a7607964eeecefee59be63b33
Branch: v4.1-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 1f8129c5db3952a57900b8cd1d94e629068e6aa5
Branch: v4.2-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 7312304ec0a50db539c6e1714f2c9b3a9e38daa7
Branch: v4.3-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 8832b8a44f960229c5aa0a803d26c0ab4aa827af
Branch: v4.4-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: bafe00de3c62f3638e449ba62d4d88b56188bafe
Branch: v4.5-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 6a028b6e8228dd19283042e5edef3a45133630e8
Branch: v4.6-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: a27659643b8ae9b26b52fc857cdc5b301184e26e
Branch: v4.7-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 3352c8af264a7b9b741208790ecca0bbc6733f42
Branch: v4.8-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 56fadbbb25190d8ce0dcc54c550cc736a2fc5412
Branch: v4.9-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 568c735d7b0ccb55f9476c86f8603eb3a5c9fc5c
Branch: v4.10-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 3572564893d1710beb1862797fe32cc2e9cb1e38
Branch: v5.0-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 6aa0c85be9f840a32fcec282185b5ed2513a3aa5
Branch: v5.1-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 111bb6555c5082ebba3de8e73a4e21a1573a5409
Branch: v5.1.0-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Branch: v5.2-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: 3d9c8914663549e0cc0e822fa29b0a3a5bbc0fbd
Branch: v5.3-maint
Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
Fixed by: dae676751cee86eaad880ee9c654823ce0e021ad
5 years, 5 months
[Libvirt-announce] Release of libvirt-5.4.0
by Daniel Veillard
It's out ! The release is tagged in git, and I provided signed tarball
and source rpms to the usual place:
https://libvirt.org/sources/
I also cut off a 5.4.0 release of the python bindings but code is same a 5.3.0
one, you can find signed tarball and source rpms at:
https://libvirt.org/sources/python/
Main theme of this release is security, there is a set of advisory covered
so users are invited to update, along with some improvements and bug fixes.
Security:
- cpu: Introduce support for the md-clear CPUID bit
This bit is set when microcode provides the mechanism to invoke a flush
of various exploitable CPU buffers by invoking the x86 VERW
instruction. CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
CVE-2019-11091.
- Restrict user access to virt-admin, virtlogd and virtlockd
The intended users for these facilities are the root user and the
libvirtd service respectively, but these restrictions were not enforced
correctly. CVE-2019-10132.
Improvements:
- test driver: Expand API coverage
Several APIs that were missing from the test driver have now been
implemented.
- Avoid unnecessary static linking
Most binaries shipped as part of libvirt, for example virtlogd and
libvirt_iohelper, were embedding parts of the library even though they
also linked against the libvirt.so dynamic library. This is no longer
the case, which results in both the disk and memory footprint being
reduced.
- qemu: Report stat-htlb-pgalloc and stat-htlb-pgfail balloon stats
These stats have been introduced in QEMU 3.0.
Bug fixes:
- qemu: Fix emulator scheduler support
Setting the scheduler for QEMU's main thread before QEMU had a chance
to start up other threads was misleading as it would affect other
threads (vCPU and I/O) as well. In some particular situations this
could also lead to an error when the thread for vCPU #0 was being moved
to its cpu,cpuacct cgroup. This was fixed so that the scheduler for the
main thread is set after QEMU starts.
- apparmor: Allow hotplug of vhost-scsi devices
Thanks everybody who contributed to this release, be it with bug reports,
patches, reviews, docs ...
Enjoy !
Daniel
--
Daniel Veillard | Red Hat Developers Tools http://developer.redhat.com/
veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | virtualization library http://libvirt.org/
5 years, 6 months