Summary: | <app-emulation/libvirt-1.2.10-r2: deadlock and segfault in qemuConnectGetAllDomainStats (CVE-2014-8131) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | cardoe, tamiko, virtualization |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1172569 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2014-12-10 22:03:17 UTC
*libvirt-1.2.10-r1 (10 Dec 2014) 10 Dec 2014; Matthias Maier <tamiko@gentoo.org> +files/libvirt-1.2.10-cve-2014-8131.patch, +libvirt-1.2.10-r1.ebuild, -libvirt-1.2.10.ebuild, -libvirt-1.2.9.1-r1.ebuild: fix for CVE-2014-8131, bug #532204, drop vulnerable unstable Vulnerable version left in tree: 1.2.9-r2. I wanted to start the stabilization of libvirt-1.2.10 today anyway. So we just go for it :-) Arches, please mark stable app-emulation/libvirt-1.2.10-r1 Target keywords: amd64 x86 amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. 11 Dec 2014; Matthias Maier <tamiko@gentoo.org> -libvirt-1.2.9-r2.ebuild: drop vulnerable version, CVE-2014-8131, bug #532204 GLSA Vote: No *libvirt-1.2.10-r2 (11 Dec 2014) 11 Dec 2014; Matthias Maier <tamiko@gentoo.org> +files/libvirt-1.2.10-cve-2014-8131-part2.patch, +libvirt-1.2.10-r2.ebuild: Apply followup patch as well, CVE-2014-8131, bug #532204 The upstream patch 57023c0a3af4af1c547189c1f6712ed5edeb0c0b as applied in 1.2.10-r1 did open up another security issue [1]. Applied the followup commit cb104ef734dfea12cb8826dba7e2c98912c4b7e1 that fixes it to version 1.2.10-r2. [1] https://www.redhat.com/archives/libvir-list/2014-December/msg00624.html Arches, please stabilize app-emulation/libvirt-1.2.10-r2 Target-keywords: amd64 x86 amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. 12 Dec 2014; Matthias Maier <tamiko@gentoo.org> -libvirt-1.2.10-r1.ebuild: drop vulnerable version, CVE-2014-8131, bug #532204 Added to existing GLSA request This issue was resolved and addressed in GLSA 201412-36 at http://security.gentoo.org/glsa/glsa-201412-36.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |