Univention Bugzilla – Bug 30788
libvirt: Multiple issues (3.1)
Last modified: 2019-04-11 19:23:55 CEST
Insecure group assigned to LVM devices (CVE-2013-1766) This has low severity, since the group is empty by default and since it's a system group it would need to be added locally to /etc/group.
NULL pointer dereference in libvirtd (CVE-2013-4154): | If users haven't configured guest agent then qemuAgentCommand() will | dereference a NULL 'mon' pointer, which causes crash of libvirtd when | using agent based cpu (un)plug. | | With the patch, when the qemu-ga service isn't running in the guest, | a expected error "error: Guest agent is not responding: Guest agent | not available for now" will be raised, and the error "error: argument | unsupported: QEMU guest agent is not configured" is raised when the | guest hasn't configured guest agent.
DoS in RPC handling (CVE-2013-4296) (the version from UCS 2.4 is not affected)
DoS in qemu job processing (CVE-2013-6458)
Denial of service in keepalive handling (CVE-2014-1447)
Denial of service / information disclosure through unlimited XML entity expansion (CVE-2014-0179)
The maintenance with bug and security fixes for UCS 3.1-x has ended on 31st of May 2014. The maintenance of the UCS 3.x major series is continued by UCS 3.2-x that is supplied with bug and security fixes. Customers still on UCS 3.1-x are encouraged to update to UCS 3.2. Please contact your partner or Univention for any questions.