UbuntuUpdates.org

Package "libvirt"

Name: libvirt

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • programs for the libvirt library
  • development files for the libvirt library
  • documentation for the libvirt library
  • library for interfacing with different virtualization systems

Latest version: 1.2.2-0ubuntu13.1.28
Release: trusty (14.04)
Level: security
Repository: main

Links

Save this URL for the latest version of "libvirt": https://www.ubuntuupdates.org/libvirt



Other versions of "libvirt" in Trusty

Repository Area Version
base main 1.2.2-0ubuntu13
updates main 1.2.2-0ubuntu13.1.28

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.2.2-0ubuntu13.1.28 2019-05-17 00:07:07 UTC

  libvirt (1.2.2-0ubuntu13.1.28) trusty-security; urgency=medium

  * SECURITY UPDATE: Add support for md-clear functionality
    - debian/patches/md-clear.patch: Define md-clear CPUID bit in
      src/cpu/cpu_map.xml.
    - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

 -- Steve Beattie <email address hidden> Thu, 16 May 2019 12:56:28 -0700

Source diff to previous version
CVE-2018-12126 MSBDS Microarchitectural Store Buffer Data Sampling
CVE-2018-12127 MLPDS Microarchitectural Load Port Data Sampling
CVE-2018-12130 MFBDS Microarchitectural Fill Buffer Data Sampling
CVE-2019-11091 MDSUM Microarchitectural Data Sampling Uncacheable Memory

Version: 1.2.2-0ubuntu13.1.27 2018-06-12 13:06:33 UTC

  libvirt (1.2.2-0ubuntu13.1.27) trusty-security; urgency=medium

  * SECURITY UPDATE: QEMU monitor DoS
    - debian/patches/CVE-2018-1064.patch: add size limit to
      src/qemu/qemu_agent.c.
    - CVE-2018-1064
  * SECURITY UPDATE: Speculative Store Bypass
    - debian/patches/CVE-2018-3639-1.patch: define the 'ssbd' CPUID feature
      bit in src/cpu/cpu_map.xml.
    - debian/patches/CVE-2018-3639-2.patch: define the 'virt-ssbd' CPUID
      feature bit in src/cpu/cpu_map.xml.
    - CVE-2018-3639

 -- Marc Deslauriers <email address hidden> Wed, 23 May 2018 14:23:45 -0400

Source diff to previous version
CVE-2018-1064 libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustion as a result of an incomplete fix for CVE-2018-5748 that affects QEMU monitor
CVE-2018-3639 Speculative Store Bypass

Version: 1.2.2-0ubuntu13.1.26 2018-02-20 22:07:22 UTC

  libvirt (1.2.2-0ubuntu13.1.26) trusty-security; urgency=medium

  * SECURITY UPDATE: resource exhaustion resulting in DoS
    - debian/patches/CVE-2018-5748.patch: avoid DoS reading from
      QEMU monitor in src/qemu/qemu_monitor.c.
    - CVE-2018-5748
  * SECURITY UPDATE: Bypass authentication
    - debian/patches/CVE-2016-5008.patch: let empty default VNC
      password work as documented in src/qemu/qemu_hotplug.c.
    - CVE-2016-5008

 -- <email address hidden> (Leonidas S. Barbosa) Fri, 16 Feb 2018 07:51:15 -0500

Source diff to previous version
CVE-2018-5748 qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service (memory consumption) via a large QEMU reply.
CVE-2016-5008 libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers

Version: 1.2.2-0ubuntu13.1.25 2018-02-07 19:06:33 UTC

  libvirt (1.2.2-0ubuntu13.1.25) trusty-security; urgency=medium

  * SECURITY UPDATE: Add support for Spectre mitigations
    - debian/patches/CVE-2017-5715-ibrs*.patch: add CPU features for
      indirect branch prediction protection and add new *-IBRS CPU models.
    - debian/control: add Breaks to get updated qemu with new CPU models.
    - CVE-2017-5715

 -- Marc Deslauriers <email address hidden> Thu, 01 Feb 2018 15:00:47 -0500

Source diff to previous version
CVE-2017-5715 Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an at

Version: 1.2.2-0ubuntu13.1.16 2016-01-12 19:07:12 UTC

  libvirt (1.2.2-0ubuntu13.1.16) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via incorrect ACL check handling
    - debian/patches/CVE-2014-8136.patch: properly unlock vm on failed ACL
      check in src/qemu/qemu_driver.c.
    - CVE-2014-8136
  * SECURITY UPDATE: VNC password leak via snapshots and save images
    - debian/patches/CVE-2015-0236.patch: check ACLs when dumping security
      info in src/qemu/qemu_driver.c, src/remote/remote_protocol.x.
    - CVE-2015-0236
  * SECURITY UPDATE: ACL bypass using storage pool directory traversal
    - debian/patches/CVE-2015-5313.patch: filter filesystem volume names in
      src/storage/storage_backend_fs.c.
    - CVE-2015-5313
  * This package does _not_ contain the changes from 1.2.2-0ubuntu13.1.15
    in trusty-proposed.

 -- Marc Deslauriers Fri, 08 Jan 2016 10:03:14 -0500

CVE-2014-8136 The (1) qemuDomainMigratePerform and (2) qemuDomainMigrateFinish2 functions in qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL che
CVE-2015-0236 libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot
CVE-2015-5313 ACL bypass using ../ to access beyond storage pool



About   -   Send Feedback to @ubuntu_updates