LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

March 2015

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA March 2015

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Low: libvirt on SL7.x x86_64
From:	Pat Riehecky <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Wed, 25 Mar 2015 15:17:49 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (106 lines)

Synopsis:          Low: libvirt security, bug fix, and enhancement update
Advisory ID:       SLSA-2015:0323-2
Issue Date:        2015-03-05
CVE Numbers:       CVE-2014-8136
                   CVE-2015-0236
--

It was found that QEMU's qemuDomainMigratePerform() and
qemuDomainMigrateFinish2() functions did not correctly perform a domain
unlock on a failed ACL check. A remote attacker able to establish a
connection to libvirtd could use this flaw to lock a domain of a more
privileged user, causing a denial of service. (CVE-2014-8136)

It was discovered that the virDomainSnapshotGetXMLDesc() and
virDomainSaveImageGetXMLDesc() functions did not sufficiently limit the
usage of the VIR_DOMAIN_XML_SECURE flag when fine-grained ACLs were
enabled. A remote attacker able to establish a connection to libvirtd
could use this flaw to obtain certain sensitive information from the
domain XML file. (CVE-2015-0236)

Bug fixes:

* The libvirtd daemon previously attempted to search for SELinux contexts
even when SELinux was disabled on the host. Consequently, libvirtd logged
"Unable to lookup SELinux process context" error messages every time a
client connected to libvirtd and SELinux was disabled. libvirtd now
verifies whether SELinux is enabled before searching for SELinux contexts,
and no longer logs the error messages on a host with SELinux disabled.

* The libvirt utility passed incomplete PCI addresses to QEMU.
Consequently, assigning a PCI device that had a PCI address with a non-
zero domain to a guest failed. Now, libvirt properly passes PCI domain to
QEMU when assigning PCI devices, which prevents the described problem.

* Because the virDomainSetMaxMemory API did not allow changing the current
memory in the LXC driver, the "virsh setmaxmem" command failed when
attempting to set the maximum memory to be lower than the current memory.
Now, "virsh setmaxmem" sets the current memory to the intended value of
the maximum memory, which avoids the mentioned problem.

* Attempting to start a non-existent domain caused network filters to stay
locked for read-only access. Because of this, subsequent attempts to gain
read-write access to network filters triggered a deadlock. Network filters
are now properly unlocked in the described scenario, and the deadlock no
longer occurs.

* If a guest configuration had an active nwfilter using the DHCP snooping
feature and an attempt was made to terminate libvirtd before the
associated nwfilter rule snooped the guest IP address from DHCP packets,
libvirtd became unresponsive. This problem has been fixed by setting a
longer wait time for snooping the guest IP address.

Enhancements:

* A new "migrate_host" option is now available in /etc/libvirt/qemu.conf,
which allows users to set a custom IP address to be used for incoming
migrations.

* With this update, libvirt is able to create a compressed memory-only
crash dump of a QEMU domain. This type of crash dump is directly readable
by the GNU Debugger and requires significantly less hard disk space than
the standard crash dump.

* Support for reporting the NUMA node distance of the host has been added
to libvirt. This enhances the current libvirt capabilities for reporting
NUMA topology of the host, and allows for easier optimization of new
domains.

* The XML file of guest and host capabilities generated by the "virsh
capabilities" command has been enhanced to list the following information,
where relevant: the interface speed and link status of the host, the PCI
Express (PCIe) details, the host's hardware support for I/O
virtualization, and a report on the huge memory pages.

These packages also include a number of other bug fixes and enhancements.

--

SL7
  x86_64
    libvirt-1.2.8-16.el7.x86_64.rpm
    libvirt-client-1.2.8-16.el7.i686.rpm
    libvirt-client-1.2.8-16.el7.x86_64.rpm
    libvirt-daemon-1.2.8-16.el7.x86_64.rpm
    libvirt-daemon-config-network-1.2.8-16.el7.x86_64.rpm
    libvirt-daemon-config-nwfilter-1.2.8-16.el7.x86_64.rpm
    libvirt-daemon-driver-interface-1.2.8-16.el7.x86_64.rpm
    libvirt-daemon-driver-lxc-1.2.8-16.el7.x86_64.rpm
    libvirt-daemon-driver-network-1.2.8-16.el7.x86_64.rpm
    libvirt-daemon-driver-nodedev-1.2.8-16.el7.x86_64.rpm
    libvirt-daemon-driver-nwfilter-1.2.8-16.el7.x86_64.rpm
    libvirt-daemon-driver-qemu-1.2.8-16.el7.x86_64.rpm
    libvirt-daemon-driver-secret-1.2.8-16.el7.x86_64.rpm
    libvirt-daemon-driver-storage-1.2.8-16.el7.x86_64.rpm
    libvirt-daemon-kvm-1.2.8-16.el7.x86_64.rpm
    libvirt-debuginfo-1.2.8-16.el7.i686.rpm
    libvirt-debuginfo-1.2.8-16.el7.x86_64.rpm
    libvirt-daemon-lxc-1.2.8-16.el7.x86_64.rpm
    libvirt-devel-1.2.8-16.el7.i686.rpm
    libvirt-devel-1.2.8-16.el7.x86_64.rpm
    libvirt-docs-1.2.8-16.el7.x86_64.rpm
    libvirt-lock-sanlock-1.2.8-16.el7.x86_64.rpm
    libvirt-login-shell-1.2.8-16.el7.x86_64.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV