[PATCH for 6.6.0] news: Document recent CVE fix
Document the fix of leaking /dev/mapper/control to QEMU (fixed in
v6.6.0-rc1-3-g2249455654).
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
NEWS.rst | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/NEWS.rst b/NEWS.rst
index ff977968c7..8b53d21b8a 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -33,6 +33,13 @@ v6.6.0 (unreleased)
* **Bug fixes**
+ * virdevmapper: Don't use libdevmapper to obtain dependencies
+
+ When building domain's private ``/dev`` in a namespace, libdevmapper was
+ consulted for getting full dependency tree of domain's disks. However, this
+ meant that libdevmapper opened ``/dev/mapper/control`` which wasn't closed
+ and was leaked to QEMU. CVE-2020-14339
+
v6.5.0 (2020-07-03)
===================
--
2.26.2