From ${URL} : A flaw was found in the way multiple events registration were handled in libvirt qemu driver. A remote user able to issue commands to libvirt daemon could use this flaw to crash libvirtd. Upstream fix: http://libvirt.org/git/?p=libvirt.git;a=commit;h=f38c8185f97720ecae7ef2291fbaa5d6b0209e17 References: https://bugzilla.redhat.com/show_bug.cgi?id=981476 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
*** Bug 476094 has been marked as a duplicate of this bug. ***
The fix is already in the tree when the embargo was lifted. The old package is removed and the only vulnerable version was only ever unstable. I used the old bug since my commit was automated with the end of the embargo.
Is it ready to stable?
These is typo in ebuild: * Cannot find $EPATCH_SOURCE! Value for $EPATCH_SOURCE is: * * /var/package-manager/portage/app-emulation/libvirt/files/ibvirt-1.1.0-CVE-2013-2230.patch * ( ibvirt-1.1.0-CVE-2013-2230.patch )
(In reply to Chris Reffett from comment #3) > Is it ready to stable? I don't see a need in stabling it as I said in comment #2. The affected version was only ever unstable, and wasn't ready for stabling in the first place.
(In reply to Doug Goldstein from comment #5) > (In reply to Chris Reffett from comment #3) > > Is it ready to stable? > > I don't see a need in stabling it as I said in comment #2. The affected > version was only ever unstable, and wasn't ready for stabling in the first > place. Right it was introduced in 1.0.6, closing as noglsa.
CVE-2013-2230 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2230): The qemu driver (qemu/qemu_driver.c) in libvirt before 1.1.1 allows remote authenticated users to cause a denial of service (daemon crash) via unspecified vectors involving "multiple events registration."