[libvirt] [sec-notice PATCH 1/2] maint: typo fixes
Noticed this while working on some additions. * docs/schema.txt: Typo fixes. * README: Refer to the schema. Signed-off-by: Eric Blake <eblake@redhat.com> --- README | 5 +++-- docs/schema.txt | 6 +++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/README b/README index 426d9ca..fa7f103 100644 --- a/README +++ b/README @@ -5,11 +5,12 @@ This repository records all Libvirt Security Notices that are issued. Notices must only added to this repository once any embargo is -lifted, since the GIT repository is fully public +lifted, since the GIT repository is fully public. Notices are written in XML in a file "notices/$YEAR/$NUM.xml" eg notices/2014/0001.xml. Assign numbers incrementally as -new issues are reported. +new issues are reported. More details on the XML format can +be found in "docs/schema.txt". When a new notice is published for the first time, send the text rendering of the notice to the libvirt-announce@redhat.com diff --git a/docs/schema.txt b/docs/schema.txt index ca8203a..189abef 100644 --- a/docs/schema.txt +++ b/docs/schema.txt @@ -2,7 +2,7 @@ ============================== The top level element of a libvirt security notice has -a name of "security-notice" and is in a XML namespace +a name of "security-notice" and is in an XML namespace of http://security.libvirt.org/xmlns/security-notice/1.0 Basic metadata @@ -45,7 +45,7 @@ resources. It will have one or more child elements which can be either "advisory" or "bug". An "advisory" element includes a "type" and "id" attribute where "type" is currently allowed to be "CVE" and "id" is the identifier -of the report. A "bug" elements incudes "tracker" and +of the report. A "bug" elements includes "tracker" and "id" attribute where "tracker" is allowed to be "redhat", "debian" or a short name for another vendors' bug tracker. @@ -74,7 +74,7 @@ Product data The "product" element provides information about the codebase of the affected products. The "name" attribute is the name of a libvirt product, typically based on the tar.gz archive name -with the suffice stripped. This contains a child "repository" +with the suffix stripped. This contains a child "repository" element which is a URL to the master GIT repository. There is then one or more "branch" elements which details the state of affected branches. -- 1.8.4.2
Use of ${BASH_SOURCE[0]} is a syntax error in dash. Use of `` is pointless when we know we are in bash. * scripts/lsn2text: Make more robust. * scripts/lsn2html: Likewise. * scripts/lsn2indexhtml: Likewise. * scripts/lsn2index: Likewise. Signed-off-by: Eric Blake <eblake@redhat.com> --- scripts/lsn2html | 4 ++-- scripts/lsn2index | 4 ++-- scripts/lsn2indexhtml | 4 ++-- scripts/lsn2text | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/scripts/lsn2html b/scripts/lsn2html index 904bba6..68a5852 100755 --- a/scripts/lsn2html +++ b/scripts/lsn2html @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # Copyright (C) 2013-2014 Red Hat, Inc. # @@ -20,4 +20,4 @@ set -e DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -xsltproc $DIR/../templates/lsn2html.xsl $1 +xsltproc "$DIR/../templates/lsn2html.xsl" "$1" diff --git a/scripts/lsn2index b/scripts/lsn2index index 85224b3..e5523da 100755 --- a/scripts/lsn2index +++ b/scripts/lsn2index @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # Copyright (C) 2013-2014 Red Hat, Inc. # @@ -23,7 +23,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" echo '<security-notice-list xmlns="http://security.libvirt.org/xmlns/security-notice-list/1.0">' for n in $@ do - n=`echo $n | sed -e 's,notices/,,'` + n=$(echo $n | sed -e 's,notices/,,') echo " <security-notice name='$n'/>" done echo '</security-notice-list>' diff --git a/scripts/lsn2indexhtml b/scripts/lsn2indexhtml index 401dce9..993f14b 100755 --- a/scripts/lsn2indexhtml +++ b/scripts/lsn2indexhtml @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # Copyright (C) 2013-2014 Red Hat, Inc. # @@ -20,4 +20,4 @@ set -e DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -xsltproc $DIR/../templates/lsn2indexhtml.xsl $1 +xsltproc "$DIR/../templates/lsn2indexhtml.xsl" "$1" diff --git a/scripts/lsn2text b/scripts/lsn2text index 177712e..427a7d7 100755 --- a/scripts/lsn2text +++ b/scripts/lsn2text @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # Copyright (C) 2013-2014 Red Hat, Inc. # @@ -20,4 +20,4 @@ set -e DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -xsltproc $DIR/../templates/lsn2text.xsl $1 +xsltproc "$DIR/../templates/lsn2text.xsl" "$1" -- 1.8.4.2
On Tue, Jan 21, 2014 at 11:37:16AM -0700, Eric Blake wrote:
Use of ${BASH_SOURCE[0]} is a syntax error in dash. Use of `` is pointless when we know we are in bash.
* scripts/lsn2text: Make more robust. * scripts/lsn2html: Likewise. * scripts/lsn2indexhtml: Likewise. * scripts/lsn2index: Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com> --- scripts/lsn2html | 4 ++-- scripts/lsn2index | 4 ++-- scripts/lsn2indexhtml | 4 ++-- scripts/lsn2text | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-)
ACK, unless there's a better way to write it in general shell without $BASE_SOURCE ? Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 01/22/2014 03:37 AM, Daniel P. Berrange wrote:
On Tue, Jan 21, 2014 at 11:37:16AM -0700, Eric Blake wrote:
Use of ${BASH_SOURCE[0]} is a syntax error in dash. Use of `` is pointless when we know we are in bash.
* scripts/lsn2text: Make more robust. * scripts/lsn2html: Likewise. * scripts/lsn2indexhtml: Likewise. * scripts/lsn2index: Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com> --- scripts/lsn2html | 4 ++-- scripts/lsn2index | 4 ++-- scripts/lsn2indexhtml | 4 ++-- scripts/lsn2text | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-)
ACK, unless there's a better way to write it in general shell without $BASE_SOURCE ?
Probably possible; I was just going with the path of least resistance. If you want me to respin this to be portable to dash, I can spend the time on that. Also, I noticed that the web pages at http://security.libvirt.org don't seem to be regenerated, even though it's been more than an hour since I pushed - are we missing a cron job somewhere, in relation to the claim made in the README? -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On Wed, Jan 22, 2014 at 06:41:43AM -0700, Eric Blake wrote:
On 01/22/2014 03:37 AM, Daniel P. Berrange wrote:
On Tue, Jan 21, 2014 at 11:37:16AM -0700, Eric Blake wrote:
Use of ${BASH_SOURCE[0]} is a syntax error in dash. Use of `` is pointless when we know we are in bash.
* scripts/lsn2text: Make more robust. * scripts/lsn2html: Likewise. * scripts/lsn2indexhtml: Likewise. * scripts/lsn2index: Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com> --- scripts/lsn2html | 4 ++-- scripts/lsn2index | 4 ++-- scripts/lsn2indexhtml | 4 ++-- scripts/lsn2text | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-)
ACK, unless there's a better way to write it in general shell without $BASE_SOURCE ?
Probably possible; I was just going with the path of least resistance. If you want me to respin this to be portable to dash, I can spend the time on that.
I don't mind either way - upto you if you want to spend time on it :-)
Also, I noticed that the web pages at http://security.libvirt.org don't seem to be regenerated, even though it's been more than an hour since I pushed - are we missing a cron job somewhere, in relation to the claim made in the README?
I don't see your changes in the public git repo actually. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 01/22/2014 06:44 AM, Daniel P. Berrange wrote:
Also, I noticed that the web pages at http://security.libvirt.org don't seem to be regenerated, even though it's been more than an hour since I pushed - are we missing a cron job somewhere, in relation to the claim made in the README?
I don't see your changes in the public git repo actually.
D'oh - that would explain it :) I thought I had pushed. But since I haven't, I can make the touchups you suggested. And I'm still working on LSN-2013-0020. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Cleanups found while revisiting some of my recent backport efforts, and documentation of recent releases. * notices/2014/0001.xml: Typo fix, more details. * notices/2014/0002.xml: Likewise. * notices/2013/0017.xml: Maintenance releases. Signed-off-by: Eric Blake <eblake@redhat.com> --- notices/2013/0017.xml | 3 +++ notices/2014/0001.xml | 18 +++++++++++++++++- notices/2014/0002.xml | 10 +++++++--- 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/notices/2013/0017.xml b/notices/2013/0017.xml index 67a9dc8..083b9fb 100644 --- a/notices/2013/0017.xml +++ b/notices/2013/0017.xml @@ -64,6 +64,7 @@ on higher privileged users.]]> <tag state="vulnerable">v1.1.4</tag> <tag state="vulnerable">v1.2.0</tag> <change state="vulnerable">cfed9ad4fb28e268e1467a0071c2fbc0c0873969</change> + <tag state="fixed">v1.2.1</tag> <change state="fixed">f8c1cb90213508c4f32549023b0572ed774e48aa</change> </branch> <branch> @@ -77,6 +78,7 @@ on higher privileged users.]]> <tag state="vulnerable">v1.0.5.7</tag> <tag state="vulnerable">v1.0.5.8</tag> <change state="vulnerable">cfed9ad4fb28e268e1467a0071c2fbc0c0873969</change> + <tag state="fixed">v1.0.5.9</tag> <change state="fixed">218bd2e8716bcb4c90acf6ecaf879d606b46606b</change> </branch> <branch> @@ -104,6 +106,7 @@ on higher privileged users.]]> <tag state="vulnerable">v1.1.3.1</tag> <tag state="vulnerable">v1.1.3.2</tag> <change state="vulnerable">cfed9ad4fb28e268e1467a0071c2fbc0c0873969</change> + <tag state="fixed">v1.1.3.3</tag> <change state="fixed">66247dc5fffe5b9447f4db377c5adf02e6db97c4</change> </branch> <branch> diff --git a/notices/2014/0001.xml b/notices/2014/0001.xml index 67657e3..dc93468 100644 --- a/notices/2014/0001.xml +++ b/notices/2014/0001.xml @@ -13,7 +13,7 @@ initialization.]]> </description> <impact> -<![CDATA[A malicious unprivileged client can caus the libvirtd daemon +<![CDATA[A malicious unprivileged client can cause the libvirtd daemon to crash leading to a denial of service]]> </impact> @@ -92,9 +92,23 @@ file]]> <tag state="vulnerable">v0.9.12.1</tag> <tag state="vulnerable">v0.9.12.2</tag> <change state="vulnerable">f4324e32927580e3620f0de3a0ec80334936e263</change> + <tag state="fixed">v0.9.12.3</tag> <change state="fixed">c385db5994842466ad3afd3ec4414dc67e41f8d3</change> </branch> <branch> + <name>v0.10.2-maint</name> + <tag state="vulnerable">v0.10.2.1</tag> + <tag state="vulnerable">v0.10.2.2</tag> + <tag state="vulnerable">v0.10.2.3</tag> + <tag state="vulnerable">v0.10.2.4</tag> + <tag state="vulnerable">v0.10.2.5</tag> + <tag state="vulnerable">v0.10.2.6</tag> + <tag state="vulnerable">v0.10.2.7</tag> + <tag state="vulnerable">v0.10.2.8</tag> + <change state="vulnerable">f4324e32927580e3620f0de3a0ec80334936e263</change> + <change state="fixed">35ed9796981cf7b939f28b60ca828824a0488a3a</change> + </branch> + <branch> <name>v1.0.2-maint</name> <change state="vulnerable">f4324e32927580e3620f0de3a0ec80334936e263</change> <change state="fixed">7fad864afa2f7137f5ebfa7874c70d2a2ca5c6b1</change> @@ -120,6 +134,7 @@ file]]> <tag state="vulnerable">v1.0.5.7</tag> <tag state="vulnerable">v1.0.5.8</tag> <change state="vulnerable">f4324e32927580e3620f0de3a0ec80334936e263</change> + <tag state="fixed">v1.0.5.9</tag> <change state="fixed">99f8d97aa7498ae06bfbefc0d4d71351d0831016</change> </branch> <branch> @@ -147,6 +162,7 @@ file]]> <tag state="vulnerable">v1.1.3.1</tag> <tag state="vulnerable">v1.1.3.2</tag> <change state="vulnerable">f4324e32927580e3620f0de3a0ec80334936e263</change> + <tag state="fixed">v1.1.3.3</tag> <change state="fixed">8342adeffb260c564edd4d7279fcb8c3499a997f</change> </branch> <branch> diff --git a/notices/2014/0002.xml b/notices/2014/0002.xml index acafda9..aa286a0 100644 --- a/notices/2014/0002.xml +++ b/notices/2014/0002.xml @@ -6,13 +6,15 @@ <description> <![CDATA[The asynchronous events were not filtered based on any permission check prior to being dispatched to the client. -This could lead to the client learning about the existance -of domains that they are not authorized to see]]> +This could lead to the client learning about the existence +of domains that they are not authorized to see.]]> </description> <impact> <![CDATA[A client can use events to learn of domains that -they are not authorized to see.]]> +they are not authorized to see. Additionally, the client +can use that object to attempt other actions on the domain, +such as starting or stopping it.]]> </impact> <workaround> @@ -38,6 +40,7 @@ they are not authorized to see.]]> <reference> <advisory type="CVE" id="2014-0028"/> + <bug tracker="redhat" id="1047964"/> </reference> <product name="libvirt"> @@ -74,6 +77,7 @@ they are not authorized to see.]]> <tag state="vulnerable">v1.1.3.1</tag> <tag state="vulnerable">v1.1.3.2</tag> <change state="vulnerable">ed3bac713c3cfc055ef551cbfe92a061084382c3</change> + <tag state="fixed">v1.1.3.3</tag> <change state="fixed">51afa9a255d7a073373ad4533eff58bd819890e8</change> </branch> <branch> -- 1.8.4.2
On Tue, Jan 21, 2014 at 05:57:41PM -0700, Eric Blake wrote:
Cleanups found while revisiting some of my recent backport efforts, and documentation of recent releases.
* notices/2014/0001.xml: Typo fix, more details. * notices/2014/0002.xml: Likewise. * notices/2013/0017.xml: Maintenance releases.
Signed-off-by: Eric Blake <eblake@redhat.com> --- notices/2013/0017.xml | 3 +++ notices/2014/0001.xml | 18 +++++++++++++++++- notices/2014/0002.xml | 10 +++++++--- 3 files changed, 27 insertions(+), 4 deletions(-)
@@ -38,6 +40,7 @@ they are not authorized to see.]]>
<reference> <advisory type="CVE" id="2014-0028"/> + <bug tracker="redhat" id="1047964"/> </reference>
FYI, if the Red Hat bug has a CVE-XXXX-XXXX alias set, then I've avoided included it in the bug tracker reference here. ACK if that bug reference is removed. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
We still don't have a full solution for CVE-2013-6456. * notices/2013/0018.xml: several maint branches had a vulnerable release. Signed-off-by: Eric Blake <eblake@redhat.com> --- notices/2013/0018.xml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/notices/2013/0018.xml b/notices/2013/0018.xml index 5d250c8..275fcc5 100644 --- a/notices/2013/0018.xml +++ b/notices/2013/0018.xml @@ -42,6 +42,10 @@ unless the guest OS is trusted.]]> <name>Reco</name> <email>recoverym4n@gmail.com</email> </patcher> + <patcher> + <name>Eric Blake</name> + <email>eblake@redhat.com</email> + </patcher> </credits> <lifecycle> @@ -115,6 +119,7 @@ unless the guest OS is trusted.]]> <tag state="vulnerable">v1.0.5.6</tag> <tag state="vulnerable">v1.0.5.7</tag> <tag state="vulnerable">v1.0.5.8</tag> + <tag state="vulnerable">v1.0.5.9</tag> <change state="vulnerable">cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3</change> <change state="vulnerable">de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9</change> <change state="vulnerable">ed77abc58bc5a6837a5021f26e1a335dbfb477bf</change> @@ -157,6 +162,7 @@ unless the guest OS is trusted.]]> <name>v1.1.3-maint</name> <tag state="vulnerable">v1.1.3.1</tag> <tag state="vulnerable">v1.1.3.2</tag> + <tag state="vulnerable">v1.1.3.3</tag> <change state="vulnerable">cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3</change> <change state="vulnerable">de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9</change> <change state="vulnerable">ed77abc58bc5a6837a5021f26e1a335dbfb477bf</change> @@ -179,6 +185,14 @@ unless the guest OS is trusted.]]> <change state="vulnerable">a5efb3190913b6903775ca3756f79443d4ea8a5b</change> <change state="vulnerable">4ad6a013304f6fe29b0866742c902054bfbcf23f</change> </branch> + <branch> + <name>v1.2.1-maint</name> + <change state="vulnerable">cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3</change> + <change state="vulnerable">de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9</change> + <change state="vulnerable">ed77abc58bc5a6837a5021f26e1a335dbfb477bf</change> + <change state="vulnerable">a5efb3190913b6903775ca3756f79443d4ea8a5b</change> + <change state="vulnerable">4ad6a013304f6fe29b0866742c902054bfbcf23f</change> + </branch> </product> </security-notice> -- 1.8.4.2
On Tue, Jan 21, 2014 at 05:57:42PM -0700, Eric Blake wrote:
We still don't have a full solution for CVE-2013-6456.
* notices/2013/0018.xml: several maint branches had a vulnerable release.
Signed-off-by: Eric Blake <eblake@redhat.com> --- notices/2013/0018.xml | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
All affected branches have been patched. * notices/2013/0019.xml: New file. Signed-off-by: Eric Blake <eblake@redhat.com> --- Pushing this and the earlier patches, since I already sent the corresponding email. I'm still working up LSN-2013-0020 for CVE-2013-6458 notices/2013/0019.xml | 97 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 notices/2013/0019.xml diff --git a/notices/2013/0019.xml b/notices/2013/0019.xml new file mode 100644 index 0000000..cc44e69 --- /dev/null +++ b/notices/2013/0019.xml @@ -0,0 +1,97 @@ +<security-notice xmlns="http://security.libvirt.org/xmlns/security-notice/1.0"> + <id>2013-0019</id> + + <summary>libvirtd crash when reading numa tunables for libxl guest in shutoff status</summary> + + <description> +<![CDATA[The libxlDomainGetNumaParameters method in the libxl driver +did not check whether the guest being accessed was running or +not. When shutoff, the code attempts to clean up an uninitialized +bitmap, causing malloc corruption most commonly observed as a crash.]]> + </description> + + <impact> +<![CDATA[A user who has permission to invoke the virDomainGetNumaParameters +API against the libxl driver will be able to crash the libvirtd +daemon. Access to this API is granted to any user who connects to the +read-only libvirtd UNIX domain socket. If ACLs are active, access is +granted to any user with the 'read' permission on the 'domain' object, +which is granted by default to all users. As a result an unprivileged +user will be able to inflict a denial of service attack on other users +of the libvirtd daemon with higher privilege.]]> + </impact> + + <workaround> +<![CDATA[The impact can be mitigated by blocking access to the read-only +libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro' parameter +in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the 'read' permission +should be removed from any untrusted users. This will not prevent the crash, +but will stop unprivileged users from inflicting the denial of service +on higher privileged users.]]> + </workaround> + + <credits> + <reporter> + <name>Dario Faggioli</name> + <email>dario.faggioli@citrix.com</email> + </reporter> + <patcher> + <name>Dario Faggioli</name> + <email>dario.faggioli@citrix.com</email> + </patcher> + </credits> + + <lifecycle> + <reported>20131220</reported> + <published>20131220</published> + <fixed>20131220</fixed> + </lifecycle> + + <reference> + <advisory type="CVE" id="2013-6457"/> + </reference> + + <product name="libvirt"> + <repository>libvirt.git</repository> + <branch> + <name>master</name> + <tag state="vulnerable">v1.1.1</tag> + <tag state="vulnerable">v1.1.2</tag> + <tag state="vulnerable">v1.1.3</tag> + <tag state="vulnerable">v1.1.4</tag> + <tag state="vulnerable">v1.2.0</tag> + <change state="vulnerable">261c4f5fb93c5e23b8002f2760d4a7937cdb7f63</change> + <tag state="fixed">v1.2.1</tag> + <change state="fixed">f9ee91d35510ccbc6fc42cef8864b291b2d220f4</change> + </branch> + <branch> + <name>v1.1.1-maint</name> + <change state="vulnerable">261c4f5fb93c5e23b8002f2760d4a7937cdb7f63</change> + <change state="fixed">d5f89a6dd725baf8bca1f1e28f5b858bf0053a99</change> + </branch> + <branch> + <name>v1.1.2-maint</name> + <change state="vulnerable">261c4f5fb93c5e23b8002f2760d4a7937cdb7f63</change> + <change state="fixed">52c40003805f1702f103095dc5c3d00cf38e7a82</change> + </branch> + <branch> + <name>v1.1.3-maint</name> + <tag state="vulnerable">v1.1.3.1</tag> + <tag state="vulnerable">v1.1.3.2</tag> + <change state="vulnerable">261c4f5fb93c5e23b8002f2760d4a7937cdb7f63</change> + <tag state="fixed">v1.1.3.3</tag> + <change state="fixed">5904ba60159ce67826f301e78103191600a07600</change> + </branch> + <branch> + <name>v1.1.4-maint</name> + <change state="vulnerable">261c4f5fb93c5e23b8002f2760d4a7937cdb7f63</change> + <change state="fixed">626eb91f964a032af56b448e63fde9f74e592290</change> + </branch> + <branch> + <name>v1.2.0-maint</name> + <change state="vulnerable">261c4f5fb93c5e23b8002f2760d4a7937cdb7f63</change> + <change state="fixed">36378d1a41464517d7c31d8854fcfd8f69221409</change> + </branch> + </product> + +</security-notice> -- 1.8.4.2
On Tue, Jan 21, 2014 at 05:57:43PM -0700, Eric Blake wrote:
All affected branches have been patched.
* notices/2013/0019.xml: New file.
Signed-off-by: Eric Blake <eblake@redhat.com> ---
Pushing this and the earlier patches, since I already sent the corresponding email. I'm still working up LSN-2013-0020 for CVE-2013-6458
notices/2013/0019.xml | 97 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 notices/2013/0019.xml
ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On Tue, Jan 21, 2014 at 11:37:15AM -0700, Eric Blake wrote:
Noticed this while working on some additions.
* docs/schema.txt: Typo fixes. * README: Refer to the schema.
Signed-off-by: Eric Blake <eblake@redhat.com> --- README | 5 +++-- docs/schema.txt | 6 +++--- 2 files changed, 6 insertions(+), 5 deletions(-)
ACK, trivial. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (2)
-
Daniel P. Berrange -
Eric Blake