Univention Bugzilla – Bug 45635
libvirt: Multiple issues (4.2)
Last modified: 2018-05-09 14:46:43 CEST
Upstream Debian (stretch) package version 3.0.0-4+deb9u1 fixes: * Libvirt does not properly handle the default_tls_x509_verify (and related) parameters in qemu.conf when setting up TLS clients and servers in QEMU, resulting in TLS clients for character devices and disk devices having verification turned off and ignoring any errors while validating the server certificate (CVE-2017-1000256) In UCS 4.2 we shipped 3.0.0-2, which also has: * Null pointer dereference when updating storage size on empty drives (CVE-2017-2635) That has been fixed in 3.0.0-3.
r17995 | Bug #45635: libvirt Package: libvirt Version: 3.0.0-4~bpo8+1A~4.2.0.201801261804 Branch: ucs_4.2-0 Scope: errata4.2-3 9899da8936 Bug #45635: libvirt
--- mirror/ftp/4.2/unmaintained/4.2-0/source/libvirt_3.0.0-2A~4.2.0.201702200932.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/libvirt_3.0.0-4~bpo8+1A~4.2.0.201801261804.dsc @@ -1,14 +1,35 @@ -3.0.0-2A~4.2.0.201702200932 [Mon, 20 Feb 2017 09:32:09 +0100] Univention builddaemon <buildd@univention.de>: +3.0.0-4~bpo8+1A~4.2.0.201801261804 [Fri, 26 Jan 2018 18:04:07 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 0001-Bug-35768-Bug-39685-Remove-UCS-dependencies - 0002-Revert-Add-Breaks-for-older-systemd 0021-Bug-19329-Allow-MD5-signatures 0022-Bug-21860-Default-to-kvm32 0023-Allow-to-migrate-and-undefine-domains-with-snapshots 0024-Bug-22072-Re-scan-for-snapshots-after-migration-and- 0025-Bug-40318-libvirt-Handle-qemu-kvm-1.1.2-migration-in 0026-Bug-21501-add-slash-screen-support + 0030-CVE-2017-1000256-qemu-ensure-TLS-clients-always-verify-the-server-cer + +3.0.0-4~bpo8+1 [Tue, 18 Apr 2017 23:09:46 +0200] Gaudenz Steinlin <gaudenz@debian.org>: + + * Rebuild for jessie-backports. + * [43f5a1] Revert "Enable numad support" + * [db9711] Change libxml2-dev build dependency to fixed version from jessie + * [bceb2c] Revert "Add Breaks for older systemd" + +3.0.0-4 [Fri, 17 Mar 2017 11:20:13 +0100] Guido Günther <agx@sigxcpu.org>: + + * [2a23b23] qemu: skip QMP probing of CPU definitions when missing. + Don't probe CPU definitions if we lack the monitor command. This + unbreaks e.g. mips based VMs. (Closes: #85412) + * [21bc332] apprarmor: unbreak lbvirt invoking qemu-bridge-helpers + This makes VM creation in gnome-boxes work with apparmor enabled. + +3.0.0-3 [Mon, 27 Feb 2017 20:07:41 +0100] Guido Günther <agx@sigxcpu.org>: + + * [62ad289] Debianize virtlogd + * [cb216b5] CVE-2017-2635: qemu: Don't update physical storage size of empty drives + (Closes: #856313) 3.0.0-2 [Wed, 25 Jan 2017 07:04:08 +0100] Guido Günther <agx@sigxcpu.org>:
* Obsolete patch removed: 4.2-0-0-ucs/3.0.0-2/0002-Revert-Add-Breaks-for-older-systemd.patch which was introduced via http://forge.univention.org/bugzilla/show_bug.cgi?id=38877#c5 * New patch 4.2-0-0-ucs/3.0.0-4~bpo8+1-errata4.2-3/0030-CVE-2017-1000256-qemu-ensure-TLS-clients-always-verify-the-server-cer.quilt origin unknown, please explain: +Message-Id: <441d3eb6d1be940a67ce45a286602a967601b157.1516983401.git.hahn@univention.de> * Missing upstream patches: Upstream there is 3.0.0-4+deb9u3, which fixes * CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor * CVE-2018-6764: virlog: determine the hostname on startup These other points are verified until now: * All other UCS specific patches applied during rebuild * Comparison to previously shipped version ok * Installation Ok * Advisory adjusted: 80c94b8420 | Sort CVEs
(In reply to Arvid Requate from comment #3) > * Obsolete patch removed: > 4.2-0-0-ucs/3.0.0-2/0002-Revert-Add-Breaks-for-older-systemd.patch > which was introduced via > http://forge.univention.org/bugzilla/show_bug.cgi?id=38877#c5 FYI: The patch is in Debian now and was thus dropped from UCS: +3.0.0-4~bpo8+1 [Tue, 18 Apr 2017 23:09:46 +0200] + * [bceb2c] Revert "Add Breaks for older systemd" > 4.2-0-0-ucs/3.0.0-4~bpo8+1-errata4.2-3/0030-CVE-2017-1000256-qemu-ensure-TLS- > clients-always-verify-the-server-cer.quilt > origin unknown, please explain: > +Message-Id: > <441d3eb6d1be940a67ce45a286602a967601b157.1516983401.git.hahn@univention.de> Back in January the vulnerability was just published, but not yet included in the Debian package. The patch is from upstream-git: $ git describe --tags --contains 441d3eb6d1be940a67ce45a286602a967601b157 CVE-2017-1000256^0 $ git describe --tags --contains 441d3eb6d1be940a67ce45a286602a967601b157 --match v\* v3.9.0-rc1~150 > * Missing upstream patches: Upstream there is 3.0.0-4+deb9u3, which fixes > * CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent > * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor > * CVE-2018-6764: virlog: determine the hostname on startup 1. and 3. are only in Debian-Stretch: 3.0.0-4+deb9u3 [Mon, 12 Mar 2018 19:11:51 +0100] * gbp: switch branch to stretch * CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent * CVE-2018-6764: virlog: determine the hostname on startup (Closes: #889839) but not yet in the Debian-Jessie backport: 3.0.0-4+deb9u2~bpo8+1 [Mon, 19 Mar 2018 09:08:45 +0100] * Rebuild for jessie-backports. 3.0.0-4+deb9u2 [Sat, 20 Jan 2018 17:51:39 +0100] * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor (Closes: #887700) * qemu: shared disks with cache=directsync should be safe for migration. Thanks to Carsten Burkhardt (Closes: #883208) 3.0.0-4+deb9u1 [Mon, 16 Oct 2017 22:48:55 +0200] * CVE-2017-1000256: qemu: ensure TLS clients always verify the server certificate (Closes: #878799) 3.0.0-4~bpo8+1 [Tue, 18 Apr 2017 23:09:46 +0200] I took deb9u2~bpo8, - dropped 0030-CVE-2017-100025 as is is included in 3.0.0-4+deb9u1, = skipped CVE-2018-5748 as it is in 3.0.0-4+deb9u2, + picked 0030-CVE-2018-1064 from 3.0.0-4+deb9u3 + picked 0031-CVE-2018-6764 from 3.0.0-4+deb9u3 r18124 | Bug #45635: libvirt 4.2-3 $ repo_admin.py -U -p libvirt -d jessie-backports -r 4.2 -s errata4.2-3 Package: libvirt Version: 3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928 Branch: ucs_4.2-0 Scope: errata4.2-3 [4.2-3] 059e5701c0 Bug #45635: libvirt 3.0.0-4+deb9u2~bpo8+1 doc/errata/staging/libvirt.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) QA: my quick test on xen1 was successful
--- mirror/ftp/4.2/unmaintained/4.2-0/source/libvirt_3.0.0-2A~4.2.0.201702200932.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/libvirt_3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928.dsc @@ -1,14 +1,52 @@ -3.0.0-2A~4.2.0.201702200932 [Mon, 20 Feb 2017 09:32:09 +0100] Univention builddaemon <buildd@univention.de>: +3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928 [Tue, 08 May 2018 19:28:21 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 0001-Bug-35768-Bug-39685-Remove-UCS-dependencies - 0002-Revert-Add-Breaks-for-older-systemd 0021-Bug-19329-Allow-MD5-signatures 0022-Bug-21860-Default-to-kvm32 0023-Allow-to-migrate-and-undefine-domains-with-snapshots 0024-Bug-22072-Re-scan-for-snapshots-after-migration-and- 0025-Bug-40318-libvirt-Handle-qemu-kvm-1.1.2-migration-in 0026-Bug-21501-add-slash-screen-support + 0030-CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q + 0031-CVE-2018-6764-virlog-determine-the-hostname-on-startup + +3.0.0-4+deb9u2~bpo8+1 [Mon, 19 Mar 2018 09:08:45 +0100] Gaudenz Steinlin <gaudenz@debian.org>: + + * Rebuild for jessie-backports. + +3.0.0-4+deb9u2 [Sat, 20 Jan 2018 17:51:39 +0100] Guido Günther <agx@sigxcpu.org>: + + * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor + (Closes: #887700) + * qemu: shared disks with cache=directsync should be safe for migration. + Thanks to Carsten Burkhardt (Closes: #883208) + +3.0.0-4+deb9u1 [Mon, 16 Oct 2017 22:48:55 +0200] Guido Günther <agx@sigxcpu.org>: + + * CVE-2017-1000256: qemu: ensure TLS clients always verify the server + certificate (Closes: #878799) + +3.0.0-4~bpo8+1 [Tue, 18 Apr 2017 23:09:46 +0200] Gaudenz Steinlin <gaudenz@debian.org>: + + * Rebuild for jessie-backports. + * [43f5a1] Revert "Enable numad support" + * [db9711] Change libxml2-dev build dependency to fixed version from jessie + * [bceb2c] Revert "Add Breaks for older systemd" + +3.0.0-4 [Fri, 17 Mar 2017 11:20:13 +0100] Guido Günther <agx@sigxcpu.org>: + + * [2a23b23] qemu: skip QMP probing of CPU definitions when missing. + Don't probe CPU definitions if we lack the monitor command. This + unbreaks e.g. mips based VMs. (Closes: #85412) + * [21bc332] apprarmor: unbreak lbvirt invoking qemu-bridge-helpers + This makes VM creation in gnome-boxes work with apparmor enabled. + +3.0.0-3 [Mon, 27 Feb 2017 20:07:41 +0100] Guido Günther <agx@sigxcpu.org>: + + * [62ad289] Debianize virtlogd + * [cb216b5] CVE-2017-2635: qemu: Don't update physical storage size of empty drives + (Closes: #856313) 3.0.0-2 [Wed, 25 Jan 2017 07:04:08 +0100] Guido Günther <agx@sigxcpu.org>:
Piuparts-result @ <http://10.200.17.11/4.2-3/#4537047368370645603>
Verified: * Backported patches validated * Patches applied during rebuilt * Binary package update Ok * Advisory Ok Reopen: * Version in errata4.2-3 is now higher than version in ucs_4.3-0: root@master10:~# dpkg --compare-versions \ 3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928 lt \ 3.0.0-4+deb9u1A~4.3.0.201711231149 || echo fail fail
(In reply to Arvid Requate from comment #7) > Reopen: > * Version in errata4.2-3 is now higher than version in ucs_4.3-0: > > root@master10:~# dpkg --compare-versions \ > 3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928 lt \ > 3.0.0-4+deb9u1A~4.3.0.201711231149 || echo fail > fail $ ~/bin/deb-ver-comp ... ucs-4.2-3 3.0.0-2A~4.2.0.201702200932 errata-4.2-3 3.0.0-4~bpo8+1A~4.2.0.201801261804 NEW-4.2-3 3.0.0-4~bpo8+deb9u2A~4.2.0.201805091348 ucs-4.3-0 3.0.0-4+deb9u1A~4.3.0.201711231149 BROKEN-4.2-3 3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928 errata-4.3-0 3.0.0-4+deb9u3A~4.3.0.201803150704 <http://xen1.knut.univention.de:8000/packages/source/libvirt/?since=4.2-0> $ build-package-ng -r 4.2 -s errata4.2-3 -p libvirt -v 3.0.0-4~bpo8+deb9u2A~4.2.0.201805091348 Package: libvirt Version: 3.0.0-4~bpo8+deb9u2A~4.2.0.201805091348 Branch: ucs_4.2-0 Scope: errata4.2-3 [4.2-3] afecd85183 Bug #45635: libvirt 3.0.0-4+deb9u2~bpo8+1 doc/errata/staging/libvirt.yaml | 2 +- OK: errata-announce -V --only libvirt.yaml OK: <http://10.200.17.11/4.2-3/#932684729351261464>
--- mirror/ftp/4.2/unmaintained/4.2-0/source/libvirt_3.0.0-2A~4.2.0.201702200932.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/libvirt_3.0.0-4~bpo8+deb9u2A~4.2.0.201805091348.dsc @@ -1,14 +1,52 @@ -3.0.0-2A~4.2.0.201702200932 [Mon, 20 Feb 2017 09:32:09 +0100] Univention builddaemon <buildd@univention.de>: +3.0.0-4~bpo8+deb9u2A~4.2.0.201805091348 [Wed, 09 May 2018 13:48:43 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 0001-Bug-35768-Bug-39685-Remove-UCS-dependencies - 0002-Revert-Add-Breaks-for-older-systemd 0021-Bug-19329-Allow-MD5-signatures 0022-Bug-21860-Default-to-kvm32 0023-Allow-to-migrate-and-undefine-domains-with-snapshots 0024-Bug-22072-Re-scan-for-snapshots-after-migration-and- 0025-Bug-40318-libvirt-Handle-qemu-kvm-1.1.2-migration-in 0026-Bug-21501-add-slash-screen-support + 0030-CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q + 0031-CVE-2018-6764-virlog-determine-the-hostname-on-startup + +3.0.0-4+deb9u2~bpo8+1 [Mon, 19 Mar 2018 09:08:45 +0100] Gaudenz Steinlin <gaudenz@debian.org>: + + * Rebuild for jessie-backports. + +3.0.0-4+deb9u2 [Sat, 20 Jan 2018 17:51:39 +0100] Guido Günther <agx@sigxcpu.org>: + + * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor + (Closes: #887700) + * qemu: shared disks with cache=directsync should be safe for migration. + Thanks to Carsten Burkhardt (Closes: #883208) + +3.0.0-4+deb9u1 [Mon, 16 Oct 2017 22:48:55 +0200] Guido Günther <agx@sigxcpu.org>: + + * CVE-2017-1000256: qemu: ensure TLS clients always verify the server + certificate (Closes: #878799) + +3.0.0-4~bpo8+1 [Tue, 18 Apr 2017 23:09:46 +0200] Gaudenz Steinlin <gaudenz@debian.org>: + + * Rebuild for jessie-backports. + * [43f5a1] Revert "Enable numad support" + * [db9711] Change libxml2-dev build dependency to fixed version from jessie + * [bceb2c] Revert "Add Breaks for older systemd" + +3.0.0-4 [Fri, 17 Mar 2017 11:20:13 +0100] Guido Günther <agx@sigxcpu.org>: + + * [2a23b23] qemu: skip QMP probing of CPU definitions when missing. + Don't probe CPU definitions if we lack the monitor command. This + unbreaks e.g. mips based VMs. (Closes: #85412) + * [21bc332] apprarmor: unbreak lbvirt invoking qemu-bridge-helpers + This makes VM creation in gnome-boxes work with apparmor enabled. + +3.0.0-3 [Mon, 27 Feb 2017 20:07:41 +0100] Guido Günther <agx@sigxcpu.org>: + + * [62ad289] Debianize virtlogd + * [cb216b5] CVE-2017-2635: qemu: Don't update physical storage size of empty drives + (Closes: #856313) 3.0.0-2 [Wed, 25 Jan 2017 07:04:08 +0100] Guido Günther <agx@sigxcpu.org>:
Ok works now.
<http://errata.software-univention.de/ucs/4.2/415.html>