Univention Bugzilla – Full Text Bug Listing |
Summary: | libvirt: Multiple issues (4.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Security updates | Assignee: | Philipp Hahn <hahn> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P5 | CC: | hahn |
Version: | UCS 4.2 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 4.2-3-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | 4.2 (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L) | ||
Bug Depends on: | |||
Bug Blocks: | 41719 |
Description
Arvid Requate
2017-11-01 17:06:36 CET
r17995 | Bug #45635: libvirt Package: libvirt Version: 3.0.0-4~bpo8+1A~4.2.0.201801261804 Branch: ucs_4.2-0 Scope: errata4.2-3 9899da8936 Bug #45635: libvirt --- mirror/ftp/4.2/unmaintained/4.2-0/source/libvirt_3.0.0-2A~4.2.0.201702200932.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/libvirt_3.0.0-4~bpo8+1A~4.2.0.201801261804.dsc @@ -1,14 +1,35 @@ -3.0.0-2A~4.2.0.201702200932 [Mon, 20 Feb 2017 09:32:09 +0100] Univention builddaemon <buildd@univention.de>: +3.0.0-4~bpo8+1A~4.2.0.201801261804 [Fri, 26 Jan 2018 18:04:07 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 0001-Bug-35768-Bug-39685-Remove-UCS-dependencies - 0002-Revert-Add-Breaks-for-older-systemd 0021-Bug-19329-Allow-MD5-signatures 0022-Bug-21860-Default-to-kvm32 0023-Allow-to-migrate-and-undefine-domains-with-snapshots 0024-Bug-22072-Re-scan-for-snapshots-after-migration-and- 0025-Bug-40318-libvirt-Handle-qemu-kvm-1.1.2-migration-in 0026-Bug-21501-add-slash-screen-support + 0030-CVE-2017-1000256-qemu-ensure-TLS-clients-always-verify-the-server-cer + +3.0.0-4~bpo8+1 [Tue, 18 Apr 2017 23:09:46 +0200] Gaudenz Steinlin <gaudenz@debian.org>: + + * Rebuild for jessie-backports. + * [43f5a1] Revert "Enable numad support" + * [db9711] Change libxml2-dev build dependency to fixed version from jessie + * [bceb2c] Revert "Add Breaks for older systemd" + +3.0.0-4 [Fri, 17 Mar 2017 11:20:13 +0100] Guido Günther <agx@sigxcpu.org>: + + * [2a23b23] qemu: skip QMP probing of CPU definitions when missing. + Don't probe CPU definitions if we lack the monitor command. This + unbreaks e.g. mips based VMs. (Closes: #85412) + * [21bc332] apprarmor: unbreak lbvirt invoking qemu-bridge-helpers + This makes VM creation in gnome-boxes work with apparmor enabled. + +3.0.0-3 [Mon, 27 Feb 2017 20:07:41 +0100] Guido Günther <agx@sigxcpu.org>: + + * [62ad289] Debianize virtlogd + * [cb216b5] CVE-2017-2635: qemu: Don't update physical storage size of empty drives + (Closes: #856313) 3.0.0-2 [Wed, 25 Jan 2017 07:04:08 +0100] Guido Günther <agx@sigxcpu.org>: * Obsolete patch removed: 4.2-0-0-ucs/3.0.0-2/0002-Revert-Add-Breaks-for-older-systemd.patch which was introduced via http://forge.univention.org/bugzilla/show_bug.cgi?id=38877#c5 * New patch 4.2-0-0-ucs/3.0.0-4~bpo8+1-errata4.2-3/0030-CVE-2017-1000256-qemu-ensure-TLS-clients-always-verify-the-server-cer.quilt origin unknown, please explain: +Message-Id: <441d3eb6d1be940a67ce45a286602a967601b157.1516983401.git.hahn@univention.de> * Missing upstream patches: Upstream there is 3.0.0-4+deb9u3, which fixes * CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor * CVE-2018-6764: virlog: determine the hostname on startup These other points are verified until now: * All other UCS specific patches applied during rebuild * Comparison to previously shipped version ok * Installation Ok * Advisory adjusted: 80c94b8420 | Sort CVEs (In reply to Arvid Requate from comment #3) > * Obsolete patch removed: > 4.2-0-0-ucs/3.0.0-2/0002-Revert-Add-Breaks-for-older-systemd.patch > which was introduced via > http://forge.univention.org/bugzilla/show_bug.cgi?id=38877#c5 FYI: The patch is in Debian now and was thus dropped from UCS: +3.0.0-4~bpo8+1 [Tue, 18 Apr 2017 23:09:46 +0200] + * [bceb2c] Revert "Add Breaks for older systemd" > 4.2-0-0-ucs/3.0.0-4~bpo8+1-errata4.2-3/0030-CVE-2017-1000256-qemu-ensure-TLS- > clients-always-verify-the-server-cer.quilt > origin unknown, please explain: > +Message-Id: > <441d3eb6d1be940a67ce45a286602a967601b157.1516983401.git.hahn@univention.de> Back in January the vulnerability was just published, but not yet included in the Debian package. The patch is from upstream-git: $ git describe --tags --contains 441d3eb6d1be940a67ce45a286602a967601b157 CVE-2017-1000256^0 $ git describe --tags --contains 441d3eb6d1be940a67ce45a286602a967601b157 --match v\* v3.9.0-rc1~150 > * Missing upstream patches: Upstream there is 3.0.0-4+deb9u3, which fixes > * CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent > * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor > * CVE-2018-6764: virlog: determine the hostname on startup 1. and 3. are only in Debian-Stretch: 3.0.0-4+deb9u3 [Mon, 12 Mar 2018 19:11:51 +0100] * gbp: switch branch to stretch * CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent * CVE-2018-6764: virlog: determine the hostname on startup (Closes: #889839) but not yet in the Debian-Jessie backport: 3.0.0-4+deb9u2~bpo8+1 [Mon, 19 Mar 2018 09:08:45 +0100] * Rebuild for jessie-backports. 3.0.0-4+deb9u2 [Sat, 20 Jan 2018 17:51:39 +0100] * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor (Closes: #887700) * qemu: shared disks with cache=directsync should be safe for migration. Thanks to Carsten Burkhardt (Closes: #883208) 3.0.0-4+deb9u1 [Mon, 16 Oct 2017 22:48:55 +0200] * CVE-2017-1000256: qemu: ensure TLS clients always verify the server certificate (Closes: #878799) 3.0.0-4~bpo8+1 [Tue, 18 Apr 2017 23:09:46 +0200] I took deb9u2~bpo8, - dropped 0030-CVE-2017-100025 as is is included in 3.0.0-4+deb9u1, = skipped CVE-2018-5748 as it is in 3.0.0-4+deb9u2, + picked 0030-CVE-2018-1064 from 3.0.0-4+deb9u3 + picked 0031-CVE-2018-6764 from 3.0.0-4+deb9u3 r18124 | Bug #45635: libvirt 4.2-3 $ repo_admin.py -U -p libvirt -d jessie-backports -r 4.2 -s errata4.2-3 Package: libvirt Version: 3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928 Branch: ucs_4.2-0 Scope: errata4.2-3 [4.2-3] 059e5701c0 Bug #45635: libvirt 3.0.0-4+deb9u2~bpo8+1 doc/errata/staging/libvirt.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) QA: my quick test on xen1 was successful --- mirror/ftp/4.2/unmaintained/4.2-0/source/libvirt_3.0.0-2A~4.2.0.201702200932.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/libvirt_3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928.dsc @@ -1,14 +1,52 @@ -3.0.0-2A~4.2.0.201702200932 [Mon, 20 Feb 2017 09:32:09 +0100] Univention builddaemon <buildd@univention.de>: +3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928 [Tue, 08 May 2018 19:28:21 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 0001-Bug-35768-Bug-39685-Remove-UCS-dependencies - 0002-Revert-Add-Breaks-for-older-systemd 0021-Bug-19329-Allow-MD5-signatures 0022-Bug-21860-Default-to-kvm32 0023-Allow-to-migrate-and-undefine-domains-with-snapshots 0024-Bug-22072-Re-scan-for-snapshots-after-migration-and- 0025-Bug-40318-libvirt-Handle-qemu-kvm-1.1.2-migration-in 0026-Bug-21501-add-slash-screen-support + 0030-CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q + 0031-CVE-2018-6764-virlog-determine-the-hostname-on-startup + +3.0.0-4+deb9u2~bpo8+1 [Mon, 19 Mar 2018 09:08:45 +0100] Gaudenz Steinlin <gaudenz@debian.org>: + + * Rebuild for jessie-backports. + +3.0.0-4+deb9u2 [Sat, 20 Jan 2018 17:51:39 +0100] Guido Günther <agx@sigxcpu.org>: + + * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor + (Closes: #887700) + * qemu: shared disks with cache=directsync should be safe for migration. + Thanks to Carsten Burkhardt (Closes: #883208) + +3.0.0-4+deb9u1 [Mon, 16 Oct 2017 22:48:55 +0200] Guido Günther <agx@sigxcpu.org>: + + * CVE-2017-1000256: qemu: ensure TLS clients always verify the server + certificate (Closes: #878799) + +3.0.0-4~bpo8+1 [Tue, 18 Apr 2017 23:09:46 +0200] Gaudenz Steinlin <gaudenz@debian.org>: + + * Rebuild for jessie-backports. + * [43f5a1] Revert "Enable numad support" + * [db9711] Change libxml2-dev build dependency to fixed version from jessie + * [bceb2c] Revert "Add Breaks for older systemd" + +3.0.0-4 [Fri, 17 Mar 2017 11:20:13 +0100] Guido Günther <agx@sigxcpu.org>: + + * [2a23b23] qemu: skip QMP probing of CPU definitions when missing. + Don't probe CPU definitions if we lack the monitor command. This + unbreaks e.g. mips based VMs. (Closes: #85412) + * [21bc332] apprarmor: unbreak lbvirt invoking qemu-bridge-helpers + This makes VM creation in gnome-boxes work with apparmor enabled. + +3.0.0-3 [Mon, 27 Feb 2017 20:07:41 +0100] Guido Günther <agx@sigxcpu.org>: + + * [62ad289] Debianize virtlogd + * [cb216b5] CVE-2017-2635: qemu: Don't update physical storage size of empty drives + (Closes: #856313) 3.0.0-2 [Wed, 25 Jan 2017 07:04:08 +0100] Guido Günther <agx@sigxcpu.org>: Piuparts-result @ <http://10.200.17.11/4.2-3/#4537047368370645603> Verified: * Backported patches validated * Patches applied during rebuilt * Binary package update Ok * Advisory Ok Reopen: * Version in errata4.2-3 is now higher than version in ucs_4.3-0: root@master10:~# dpkg --compare-versions \ 3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928 lt \ 3.0.0-4+deb9u1A~4.3.0.201711231149 || echo fail fail (In reply to Arvid Requate from comment #7) > Reopen: > * Version in errata4.2-3 is now higher than version in ucs_4.3-0: > > root@master10:~# dpkg --compare-versions \ > 3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928 lt \ > 3.0.0-4+deb9u1A~4.3.0.201711231149 || echo fail > fail $ ~/bin/deb-ver-comp ... ucs-4.2-3 3.0.0-2A~4.2.0.201702200932 errata-4.2-3 3.0.0-4~bpo8+1A~4.2.0.201801261804 NEW-4.2-3 3.0.0-4~bpo8+deb9u2A~4.2.0.201805091348 ucs-4.3-0 3.0.0-4+deb9u1A~4.3.0.201711231149 BROKEN-4.2-3 3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928 errata-4.3-0 3.0.0-4+deb9u3A~4.3.0.201803150704 <http://xen1.knut.univention.de:8000/packages/source/libvirt/?since=4.2-0> $ build-package-ng -r 4.2 -s errata4.2-3 -p libvirt -v 3.0.0-4~bpo8+deb9u2A~4.2.0.201805091348 Package: libvirt Version: 3.0.0-4~bpo8+deb9u2A~4.2.0.201805091348 Branch: ucs_4.2-0 Scope: errata4.2-3 [4.2-3] afecd85183 Bug #45635: libvirt 3.0.0-4+deb9u2~bpo8+1 doc/errata/staging/libvirt.yaml | 2 +- OK: errata-announce -V --only libvirt.yaml OK: <http://10.200.17.11/4.2-3/#932684729351261464> --- mirror/ftp/4.2/unmaintained/4.2-0/source/libvirt_3.0.0-2A~4.2.0.201702200932.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/libvirt_3.0.0-4~bpo8+deb9u2A~4.2.0.201805091348.dsc @@ -1,14 +1,52 @@ -3.0.0-2A~4.2.0.201702200932 [Mon, 20 Feb 2017 09:32:09 +0100] Univention builddaemon <buildd@univention.de>: +3.0.0-4~bpo8+deb9u2A~4.2.0.201805091348 [Wed, 09 May 2018 13:48:43 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 0001-Bug-35768-Bug-39685-Remove-UCS-dependencies - 0002-Revert-Add-Breaks-for-older-systemd 0021-Bug-19329-Allow-MD5-signatures 0022-Bug-21860-Default-to-kvm32 0023-Allow-to-migrate-and-undefine-domains-with-snapshots 0024-Bug-22072-Re-scan-for-snapshots-after-migration-and- 0025-Bug-40318-libvirt-Handle-qemu-kvm-1.1.2-migration-in 0026-Bug-21501-add-slash-screen-support + 0030-CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q + 0031-CVE-2018-6764-virlog-determine-the-hostname-on-startup + +3.0.0-4+deb9u2~bpo8+1 [Mon, 19 Mar 2018 09:08:45 +0100] Gaudenz Steinlin <gaudenz@debian.org>: + + * Rebuild for jessie-backports. + +3.0.0-4+deb9u2 [Sat, 20 Jan 2018 17:51:39 +0100] Guido Günther <agx@sigxcpu.org>: + + * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor + (Closes: #887700) + * qemu: shared disks with cache=directsync should be safe for migration. + Thanks to Carsten Burkhardt (Closes: #883208) + +3.0.0-4+deb9u1 [Mon, 16 Oct 2017 22:48:55 +0200] Guido Günther <agx@sigxcpu.org>: + + * CVE-2017-1000256: qemu: ensure TLS clients always verify the server + certificate (Closes: #878799) + +3.0.0-4~bpo8+1 [Tue, 18 Apr 2017 23:09:46 +0200] Gaudenz Steinlin <gaudenz@debian.org>: + + * Rebuild for jessie-backports. + * [43f5a1] Revert "Enable numad support" + * [db9711] Change libxml2-dev build dependency to fixed version from jessie + * [bceb2c] Revert "Add Breaks for older systemd" + +3.0.0-4 [Fri, 17 Mar 2017 11:20:13 +0100] Guido Günther <agx@sigxcpu.org>: + + * [2a23b23] qemu: skip QMP probing of CPU definitions when missing. + Don't probe CPU definitions if we lack the monitor command. This + unbreaks e.g. mips based VMs. (Closes: #85412) + * [21bc332] apprarmor: unbreak lbvirt invoking qemu-bridge-helpers + This makes VM creation in gnome-boxes work with apparmor enabled. + +3.0.0-3 [Mon, 27 Feb 2017 20:07:41 +0100] Guido Günther <agx@sigxcpu.org>: + + * [62ad289] Debianize virtlogd + * [cb216b5] CVE-2017-2635: qemu: Don't update physical storage size of empty drives + (Closes: #856313) 3.0.0-2 [Wed, 25 Jan 2017 07:04:08 +0100] Guido Günther <agx@sigxcpu.org>: Ok works now. |