FEDORA-2019-b2dfb13daf

security update in Fedora 30 for libvirt

Status: stable 3 months ago
  • CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API (bz #1722463, bz #1720115)
  • CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly clients (bz #1722462, bz #1720114)
  • CVE-2019-10167: arbitrary command execution via virConnectGetDomainCapabilities API (bz #1722464, bz #1720117)
  • CVE-2019-10168: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs (bz #1722466, bz #1720118)
  • CVE-2019-3886: virsh domhostname command discloses guest hostname in readonly mode [fedora-rawhide
  • Cannot start VM with a CBR 2.0 TPM device (bz #1712556)
  • libvirtd does not update VM .xml configurations after virsh snapshot/blockcommit (bz #1722348)

How to install

sudo dnf upgrade --advisory=FEDORA-2019-b2dfb13daf

Comments 15

This update has been submitted for testing by crobinso.

This update test gating status has been changed to 'waiting'.

This update test gating status has been changed to 'ignored'.

This update has been pushed to testing.

karma: +1 critpath: +1

crobinso edited this update.

+1

karma: +1 critpath: +1

Works fine

karma: +1 critpath: +1
karma: +1 critpath: +1

WFM

karma: +1 critpath: +1

my VMs in virt-manager still work fine

karma: +1 critpath: +1

This update has reached the stable karma threshold and can be pushed to stable now if the maintainer wishes.

karma: +1 critpath: +1

This update has been submitted for stable by crobinso.

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
medium
Karma
+7
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Disabled
Autopush (time)
Disabled
Dates
submitted 4 months ago
in testing 4 months ago
in stable 3 months ago
modified 4 months ago

Related Bugs 12

00 #1694880 CVE-2019-3886 libvirt: virsh domhostname command discloses guest hostname in readonly mode
00 #1696055 CVE-2019-3886 libvirt: virsh domhostname command discloses guest hostname in readonly mode [fedora-rawhide]
00 #1712556 Cannot start VM with a CBR 2.0 TPM device shows message "Failed to create v1 controller cpu for group: No such file or directory"
00 #1720114 CVE-2019-10166 libvirt: virDomainManagedSaveDefineXML API exposed to readonly clients
00 #1720115 CVE-2019-10161 libvirt: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
00 #1720117 CVE-2019-10167 libvirt: arbitrary command execution via virConnectGetDomainCapabilities API
00 #1720118 CVE-2019-10168 libvirt: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs
00 #1722348 libvirtd does not update VM .xml configurations on filesystem after virsh snapshot/blockcommit
00 #1722462 CVE-2019-10166 libvirt: virDomainManagedSaveDefineXML API exposed to readonly clients [fedora-all]
00 #1722463 CVE-2019-10161 libvirt: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API [fedora-all]
00 #1722464 CVE-2019-10167 libvirt: arbitrary command execution via virConnectGetDomainCapabilities API [fedora-all]
00 #1722466 CVE-2019-10168 libvirt: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs [fedora-all]

Automated Test Results