Bug 40317 - libvirt: multiple issues (4.1)
libvirt: multiple issues (4.1)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
Other Linux
: P4 normal (vote)
: UCS 4.1-2-errata
Assigned To: Philipp Hahn
Erik Damrose
Depends on:
Blocks: 40318 41719
  Show dependency treegraph
Reported: 2015-12-21 12:26 CET by Arvid Requate
Modified: 2017-11-01 17:13 CET (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-12-21 12:26:38 CET
The following issue has been identified in libvirt:

* ACL bypass using ../ to access beyond storage pool (CVE-2015-5313)
Comment 1 Philipp Hahn univentionstaff 2016-03-11 19:21:30 CET
The issue is minor and tagged no-dsa in Debian: <https://security-tracker.debian.org/tracker/CVE-2015-5313>

As we need to update libvirt anyway from our own 1.2.7, switch to 1.2.9 from Debian-Wheezy, which is maintained. The CVE was fixed by me for Debian, currently waiting for upload to jessie-proposed-updates.

Please note that UCS-3.3 also uses 1.2.9, so the version in 4.0 is actually lower than in 3.3!

$ repo_admin.py --cherrypick -r 4.0 -s errata4.0-4 --releasedest 4.1 --dest errata4.1-1 -p libvirt

r16168 | patch

Package: libvirt
Version: 1.2.9-9+deb8u2.138.201603111914
Branch: ucs_4.1-0
Scope: errata4.1-1

r68044 | Bug #40317 libvirt: YAML
Comment 2 Philipp Hahn univentionstaff 2016-03-14 12:30:49 CET
repo_admin.py --cherrypick -r 4.0 --releasedest 4.1 --dest errata4.1-1 -p libnl

Package: libnl
Version: 1.1-7.15.201603141220
Branch: ucs_4.1-0
Scope: errata4.1-1

r68064 | Bug #40317 libnl: YAML
Comment 3 Stefan Gohmann univentionstaff 2016-03-15 06:00:52 CET
See Jenkins tests:


[2016-03-14 20:41:39.117882]Die folgenden Pakete haben unerfüllte Abhängigkeiten:
[2016-03-14 20:41:39.117989] univention-virtual-machine-manager-node-kvm : Hängt ab von: libvirt-daemon-system soll aber nicht installiert werden
(2016-03-14 20:41:39.129813)E: Probleme können nicht korrigiert werden, Sie haben zurückgehaltene defekte Pakete.

(In reply to Philipp Hahn from comment #2)
> repo_admin.py --cherrypick -r 4.0 --releasedest 4.1 --dest errata4.1-1 -p
> libnl
> Package: libnl
> Version: 1.1-7.15.201603141220
> Branch: ucs_4.1-0
> Scope: errata4.1-1

Maybe the package is not yet maintained?
Comment 4 Philipp Hahn univentionstaff 2016-03-15 12:38:22 CET
$ repo_admin.py --cherrypick -r 4.0 --releasedest 4.1 --dest errata4.1-1 -p netcf

Package: netcf
Version: 0.1.9-2.5.201603151048
Branch: ucs_4.1-0
Scope: errata4.1-1

r68089 | Bug #40317 netcf: YAML
Comment 5 Erik Damrose univentionstaff 2016-05-04 13:19:02 CEST
Reopn: As this is the same version as Bug #40318, it suffers from the same issues, see there.
Comment 6 Philipp Hahn univentionstaff 2016-05-09 12:52:57 CEST
r16477 | Bug #40318 libvirt: qemu-kvm-1.1.2 JSON migration

Package: libvirt
Version: 1.2.9-9+deb8u2.141.201605091248
Branch: ucs_4.1-0
Scope: errata4.1-1
Comment 7 Erik Damrose univentionstaff 2016-05-11 16:29:11 CEST
OK: Patch for live migration applied
OK: Functionality
OK: I moved the yaml file to ucs 4.1-2 and adapted it to be released for 4.1-1,2
r69256 r69257

Comment 8 Philipp Hahn univentionstaff 2016-05-17 11:50:01 CEST
r69346 | Bug #40317 libvirt: Move additional YAML files