UbuntuUpdates.org

Package "libvirt"

Name: libvirt

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • programs for the libvirt library
  • development files for the libvirt library
  • documentation for the libvirt library
  • library for interfacing with different virtualization systems

Latest version: 1.3.1-1ubuntu10.27
Release: xenial (16.04)
Level: security
Repository: main

Links

Save this URL for the latest version of "libvirt": https://www.ubuntuupdates.org/libvirt



Other versions of "libvirt" in Xenial

Repository Area Version
base main 1.3.1-1ubuntu10
updates main 1.3.1-1ubuntu10.27

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.3.1-1ubuntu10.27 2019-07-08 13:07:55 UTC

  libvirt (1.3.1-1ubuntu10.27) xenial-security; urgency=medium

  * SECURITY UPDATE: virDomainSaveImageGetXMLDesc does not check for
    read-only connection
    - debian/patches/CVE-2019-10161.patch: add check to
      src/libvirt-domain.c, src/qemu/qemu_driver.c,
      src/remote/remote_protocol.x.
    - CVE-2019-10161
  * SECURITY UPDATE: virConnectGetDomainCapabilities does not check for
    read-only connection
    - debian/patches/CVE-2019-10167.patch: add check to
      src/libvirt-domain.c.
    - CVE-2019-10167

 -- Marc Deslauriers <email address hidden> Tue, 02 Jul 2019 09:22:37 -0400

Source diff to previous version
CVE-2019-10161 arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
CVE-2019-10167 arbitrary command execution via virConnectGetDomainCapabilities API

Version: 1.3.1-1ubuntu10.26 2019-05-15 20:06:30 UTC

  libvirt (1.3.1-1ubuntu10.26) xenial-security; urgency=medium

  * SECURITY UPDATE: Add support for md-clear functionality
    - debian/patches/md-clear.patch: Define md-clear CPUID bit in
      src/cpu/cpu_map.xml.
    - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

 -- Marc Deslauriers <email address hidden> Tue, 14 May 2019 15:13:18 -0400

Source diff to previous version
CVE-2018-12126 MSBDS Microarchitectural Store Buffer Data Sampling
CVE-2018-12127 MLPDS Microarchitectural Load Port Data Sampling
CVE-2018-12130 MFBDS Microarchitectural Fill Buffer Data Sampling
CVE-2019-11091 MDSUM Microarchitectural Data Sampling Uncacheable Memory

Version: 1.3.1-1ubuntu10.25 2019-03-14 19:06:54 UTC

  libvirt (1.3.1-1ubuntu10.25) xenial-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference in qemuAgentGetInterfaces
    - debian/patches/CVE-2019-3840.patch: require a reply in
      src/qemu/qemu_agent.c.
    - CVE-2019-3840

 -- Marc Deslauriers <email address hidden> Wed, 13 Mar 2019 08:10:12 -0400

Source diff to previous version
CVE-2019-3840 NULL pointer dereference after running qemuAgentCommand in qemuAgentGetInterfaces function

Version: 1.3.1-1ubuntu10.24 2018-06-12 13:06:37 UTC

  libvirt (1.3.1-1ubuntu10.24) xenial-security; urgency=medium

  * SECURITY UPDATE: QEMU monitor DoS
    - debian/patches/CVE-2018-1064.patch: add size limit to
      src/qemu/qemu_agent.c.
    - CVE-2018-1064
  * SECURITY UPDATE: Speculative Store Bypass
    - debian/patches/CVE-2018-3639-1.patch: define the 'ssbd' CPUID feature
      bit in src/cpu/cpu_map.xml.
    - debian/patches/CVE-2018-3639-2.patch: define the 'virt-ssbd' CPUID
      feature bit in src/cpu/cpu_map.xml.
    - CVE-2018-3639

 -- Marc Deslauriers <email address hidden> Wed, 23 May 2018 13:29:29 -0400

Source diff to previous version
CVE-2018-1064 libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustion as a result of an incomplete fix for CVE-2018-5748 that affects QEMU monitor
CVE-2018-3639 Speculative Store Bypass

Version: 1.3.1-1ubuntu10.19 2018-02-20 22:07:25 UTC

  libvirt (1.3.1-1ubuntu10.19) xenial-security; urgency=medium

  [ Leonidas S. Barbosa ]
  * SECURITY UPDATE: resource exhaustion resulting in DoS
    - debian/patches/CVE-2018-5748.patch: avoid DoS reading from
      QEMU monitor in src/qemu/qemu_monitor.c.
    - CVE-2018-5748
  * SECURITY UPDATE: Bypass authentication
    - debian/patches/CVE-2016-5008.patch: let empty default VNC
      password work as documented in src/qemu/qemu_hotplug.c.
    - CVE-2016-5008

  [ Marc Deslauriers ]
  * SECURITY UPDATE: code injection via libnss_dns.so
    - debian/patches/CVE-2018-6764-1.patch: determine the hostname on
      startup in src/util/virlog.c.
    - debian/patches/CVE-2018-6764-2.patch: fix syntax-check in
      src/util/virlog.c.
    - debian/patches/CVE-2018-6764-3.patch: fix deadlock obtaining hostname
      in cfg.mk, src/util/virlog.c.
    - CVE-2018-6764

 -- Marc Deslauriers <email address hidden> Fri, 16 Feb 2018 07:51:15 -0500

CVE-2018-5748 qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service (memory consumption) via a large QEMU reply.
CVE-2016-5008 libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers
CVE-2018-6764 guest could inject executable code via libnss_dns.so loaded by libvirt_lxc before init



About   -   Send Feedback to @ubuntu_updates