From ${URL} : It was found that virsh does not properly sanitize addresses before passing them onto SSH. For example, `virsh -c 'qemu+ssh://root@-help/system' list` will list SSH's help message. No known or even potential exploitation vector is known and this issue is considered of low threat and priority. Upstream patch: http://libvirt.org/git/?p=libvirt.git;a=commit;h=e4cb8500810a310a10a6cb359e1b53fac03ed597 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Patch applied to version 3.6.0. commit 02110c0d470e8549a31ae8bf953c8bd514185c68 Author: Matthias Maier <tamiko@gentoo.org> Date: Thu Aug 31 20:48:57 2017 -0500 app-emulation/libvirt: version bump to 3.6.0, bug #627780 Package-Manager: Portage-2.3.6, Repoman-2.3.3
Let's stabilize in a week, not immediately. This issue hardly justifies rushing stabilization.
(In reply to Matthias Maier from comment #2) > Let's stabilize in a week, not immediately. > > This issue hardly justifies rushing stabilization. Very well. Keep in mind we will call for stabilization if the maintainer puts "stable" on the whiteboard. If you want to hold please mark it "stable?" This assists us in sorting/identifying bugs pending stable calls.
Arches, please stabilize =app-emulation/libvirt-3.6.0 =dev-python/libvirt-python-3.6.0
amd64 stable
x86 stable @ Maintainer(s): Please cleanup and drop <app-emulation/libvirt-3.6.0 and <dev-python/libvirt-python-3.6.0!
commit c122fff41902ba3749531883044eb6121ff4dc49 Author: Matthias Maier <tamiko@gentoo.org> Date: Wed Sep 27 10:05:24 2017 -0500 app-emulation/libvirt: drop old, bug #629462 Package-Manager: Portage-2.3.8, Repoman-2.3.3 commit ed84c3e512aa1c20678857517d370931cf9cca55 Author: Matthias Maier <tamiko@gentoo.org> Date: Wed Sep 27 10:04:15 2017 -0500 dev-python/libvirt-python: drop old, bug #629462 Package-Manager: Portage-2.3.8, Repoman-2.3.3
GLSA Vote: No