LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

May 2013

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA May 2013

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Moderate: libvirt on SL6.x i386/x86_64
From:	Pat Riehecky <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Thu, 16 May 2013 18:05:25 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (60 lines)

Synopsis:          Moderate: libvirt security and bug fix update
Advisory ID:       SLSA-2013:0831-1
Issue Date:        2013-05-16
CVE Numbers:       CVE-2013-1962
--

It was found that libvirtd leaked file descriptors when listing all
volumes for a particular pool. A remote attacker able to establish a read-
only connection to libvirtd could use this flaw to cause libvirtd to
consume all available file descriptors, preventing other users from using
libvirtd services (such as starting a new guest) until libvirtd is
restarted. (CVE-2013-1962)

This update also fixes the following bugs:

* Previously, libvirt made control group (cgroup) requests on files that
it should not have. With older kernels, such nonsensical cgroup requests
were ignored; however, newer kernels are stricter, resulting in libvirt
logging spurious warnings and failures to the libvirtd and audit logs. The
audit log failures displayed by the ausearch tool were similar to the
following:

root    [date] - failed     cgroup     allow     path     rw
/dev/kqemu

With this update, libvirt no longer attempts the nonsensical cgroup
actions, leaving only valid attempts in the libvirtd and audit logs
(making it easier to search for real cases of failure).

* Previously, libvirt used the wrong variable when constructing audit
messages. This led to invalid audit messages, causing ausearch to format
certain entries as having "path=(null)" instead of the correct path. This
could prevent ausearch from locating events related to cgroup device ACL
modifications for guests managed by libvirt. With this update, the audit
messages are generated correctly, preventing loss of audit coverage.

After installing the updated packages, libvirtd will be restarted
automatically.
--

SL6
  x86_64
    libvirt-0.10.2-18.el6_4.5.x86_64.rpm
    libvirt-client-0.10.2-18.el6_4.5.i686.rpm
    libvirt-client-0.10.2-18.el6_4.5.x86_64.rpm
    libvirt-debuginfo-0.10.2-18.el6_4.5.i686.rpm
    libvirt-debuginfo-0.10.2-18.el6_4.5.x86_64.rpm
    libvirt-python-0.10.2-18.el6_4.5.x86_64.rpm
    libvirt-devel-0.10.2-18.el6_4.5.i686.rpm
    libvirt-devel-0.10.2-18.el6_4.5.x86_64.rpm
    libvirt-lock-sanlock-0.10.2-18.el6_4.5.x86_64.rpm
  i386
    libvirt-0.10.2-18.el6_4.5.i686.rpm
    libvirt-client-0.10.2-18.el6_4.5.i686.rpm
    libvirt-debuginfo-0.10.2-18.el6_4.5.i686.rpm
    libvirt-python-0.10.2-18.el6_4.5.i686.rpm
    libvirt-devel-0.10.2-18.el6_4.5.i686.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV