+-- On Mon, 5 Feb 2018, Daniel P. Berrangé wrote --+ | From: Lubomir Rintel <lkundrak@v3.sk> | | At later point it might not be possible or even safe to use getaddrinfo(). It | can in turn result in a load of NSS module. | | Notably, on a LXC container startup we may find ourselves with the guest | filesystem already having replaced the host one. Loading a NSS module | from the guest tree could allow a malicous guest to escape the | confinement of its container environment because libvirt will not yet | have locked it down. | --- | | NB, we're still awaiting CVE allocation before pushing to git 'CVE-2018-6764' has been assigned to this issue by Mitre. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F