Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Pat Riehecky <riehecky-13hema8v3vg <at> public.gmane.org>
Subject: Security ERRATA Moderate: libvirt on SL6.x i386/x86_64
Newsgroups: gmane.linux.scientific.errata
Date: Thursday 16th May 2013 18:05:25 UTC (over 3 years ago)
Synopsis:          Moderate: libvirt security and bug fix update
Advisory ID:       SLSA-2013:0831-1
Issue Date:        2013-05-16
CVE Numbers:       CVE-2013-1962
--

It was found that libvirtd leaked file descriptors when listing all
volumes for a particular pool. A remote attacker able to establish a read-
only connection to libvirtd could use this flaw to cause libvirtd to
consume all available file descriptors, preventing other users from using
libvirtd services (such as starting a new guest) until libvirtd is
restarted. (CVE-2013-1962)

This update also fixes the following bugs:

* Previously, libvirt made control group (cgroup) requests on files that
it should not have. With older kernels, such nonsensical cgroup requests
were ignored; however, newer kernels are stricter, resulting in libvirt
logging spurious warnings and failures to the libvirtd and audit logs. The
audit log failures displayed by the ausearch tool were similar to the
following:

root    [date] - failed     cgroup     allow     path     rw
/dev/kqemu

With this update, libvirt no longer attempts the nonsensical cgroup
actions, leaving only valid attempts in the libvirtd and audit logs
(making it easier to search for real cases of failure).

* Previously, libvirt used the wrong variable when constructing audit
messages. This led to invalid audit messages, causing ausearch to format
certain entries as having "path=(null)" instead of the correct path. This
could prevent ausearch from locating events related to cgroup device ACL
modifications for guests managed by libvirt. With this update, the audit
messages are generated correctly, preventing loss of audit coverage.

After installing the updated packages, libvirtd will be restarted
automatically.
--

SL6
  x86_64
    libvirt-0.10.2-18.el6_4.5.x86_64.rpm
    libvirt-client-0.10.2-18.el6_4.5.i686.rpm
    libvirt-client-0.10.2-18.el6_4.5.x86_64.rpm
    libvirt-debuginfo-0.10.2-18.el6_4.5.i686.rpm
    libvirt-debuginfo-0.10.2-18.el6_4.5.x86_64.rpm
    libvirt-python-0.10.2-18.el6_4.5.x86_64.rpm
    libvirt-devel-0.10.2-18.el6_4.5.i686.rpm
    libvirt-devel-0.10.2-18.el6_4.5.x86_64.rpm
    libvirt-lock-sanlock-0.10.2-18.el6_4.5.x86_64.rpm
  i386
    libvirt-0.10.2-18.el6_4.5.i686.rpm
    libvirt-client-0.10.2-18.el6_4.5.i686.rpm
    libvirt-debuginfo-0.10.2-18.el6_4.5.i686.rpm
    libvirt-python-0.10.2-18.el6_4.5.i686.rpm
    libvirt-devel-0.10.2-18.el6_4.5.i686.rpm

- Scientific Linux Development Team
 
CD: 2ms