[gentoo-announce] [ GLSA 201412-04 ] libvirt: Multiple vulnerabilities - gentoo-announce

From:	Kristian Fiskerstrand <k_f@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201412-04 ] libvirt: Multiple vulnerabilities
Date:	Mon, 08 Dec 2014 23:48:07
Message-Id:	`548633E5.9080009@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201412-04

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: High

8

    Title: libvirt: Multiple vulnerabilities

9

     Date: December 08, 2014

10

     Bugs: #483048, #484014, #485520, #487684, #489374, #494072,

11

           #496204, #498534, #502232, #504996, #509858, #524184, #528440

12

       ID: 201412-04

13

14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

15

16

Synopsis

17

========

18

19

Multiple vulnerabilities have been found in libvirt, worst of which

20

allows context-dependent attackers to escalate privileges.

21

22

Background

23

==========

24

25

libvirt is a C toolkit for manipulating virtual machines.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  app-emulation/libvirt       < 1.2.9-r2               >= 1.2.9-r2

34

35

Description

36

===========

37

38

Multiple vulnerabilities have been discovered in libvirt. Please review

39

the CVE identifiers referenced below for details.

40

41

Impact

42

======

43

44

A remote attacker may be able to cause a Denial of Service or cause

45

information leakage. A local attacker may be able to escalate

46

privileges, cause a Denial of Service or possibly execute arbitrary

47

code.

48

49

Workaround

50

==========

51

52

There is no known workaround at this time.

53

54

Resolution

55

==========

56

57

All libvirt users should upgrade to the latest version:

58

59

  # emerge --sync

60

  # emerge --ask --oneshot --verbose ">=app-emulation/libvirt-1.2.9-r2"

61

62

References

63

==========

64

65

[  1 ] CVE-2013-4292

66

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4292

67

[  2 ] CVE-2013-4296

68

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4296

69

[  3 ] CVE-2013-4297

70

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4297

71

[  4 ] CVE-2013-4399

72

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4399

73

[  5 ] CVE-2013-4400

74

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4400

75

[  6 ] CVE-2013-4401

76

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4401

77

[  7 ] CVE-2013-5651

78

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5651

79

[  8 ] CVE-2013-6436

80

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6436

81

[  9 ] CVE-2013-6456

82

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6456

83

[ 10 ] CVE-2013-6457

84

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6457

85

[ 11 ] CVE-2013-6458

86

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6458

87

[ 12 ] CVE-2013-7336

88

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7336

89

[ 13 ] CVE-2014-0028

90

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0028

91

[ 14 ] CVE-2014-0179

92

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0179

93

[ 15 ] CVE-2014-1447

94

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1447

95

[ 16 ] CVE-2014-3633

96

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3633

97

[ 17 ] CVE-2014-5177

98

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5177

99

[ 18 ] CVE-2014-7823

100

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7823

101

102

Availability

103

============

104

105

This GLSA and any updates to it are available for viewing at

106

the Gentoo Security Website:

107

108

 http://security.gentoo.org/glsa/glsa-201412-04.xml

109

110

Concerns?

111

=========

112

113

Security is a primary focus of Gentoo Linux and ensuring the

114

confidentiality and security of our users' machines is of utmost

115

importance to us. Any security concerns should be addressed to

116

security@g.o or alternatively, you may file a bug at

117

https://bugs.gentoo.org.

118

119

License

120

=======

121

122

Copyright 2014 Gentoo Foundation, Inc; referenced text

123

belongs to its owner(s).

124

125

The contents of this document are licensed under the

126

Creative Commons - Attribution / Share Alike license.

127

128

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201412-04
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: libvirt: Multiple vulnerabilities
9	Date: December 08, 2014
10	Bugs: #483048, #484014, #485520, #487684, #489374, #494072,
11	#496204, #498534, #502232, #504996, #509858, #524184, #528440
12	ID: 201412-04
13
14	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16	Synopsis
17	========
18
19	Multiple vulnerabilities have been found in libvirt, worst of which
20	allows context-dependent attackers to escalate privileges.
21
22	Background
23	==========
24
25	libvirt is a C toolkit for manipulating virtual machines.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 app-emulation/libvirt < 1.2.9-r2 >= 1.2.9-r2
34
35	Description
36	===========
37
38	Multiple vulnerabilities have been discovered in libvirt. Please review
39	the CVE identifiers referenced below for details.
40
41	Impact
42	======
43
44	A remote attacker may be able to cause a Denial of Service or cause
45	information leakage. A local attacker may be able to escalate
46	privileges, cause a Denial of Service or possibly execute arbitrary
47	code.
48
49	Workaround
50	==========
51
52	There is no known workaround at this time.
53
54	Resolution
55	==========
56
57	All libvirt users should upgrade to the latest version:
58
59	# emerge --sync
60	# emerge --ask --oneshot --verbose ">=app-emulation/libvirt-1.2.9-r2"
61
62	References
63	==========
64
65	[ 1 ] CVE-2013-4292
66	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4292
67	[ 2 ] CVE-2013-4296
68	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4296
69	[ 3 ] CVE-2013-4297
70	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4297
71	[ 4 ] CVE-2013-4399
72	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4399
73	[ 5 ] CVE-2013-4400
74	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4400
75	[ 6 ] CVE-2013-4401
76	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4401
77	[ 7 ] CVE-2013-5651
78	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5651
79	[ 8 ] CVE-2013-6436
80	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6436
81	[ 9 ] CVE-2013-6456
82	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6456
83	[ 10 ] CVE-2013-6457
84	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6457
85	[ 11 ] CVE-2013-6458
86	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6458
87	[ 12 ] CVE-2013-7336
88	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7336
89	[ 13 ] CVE-2014-0028
90	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0028
91	[ 14 ] CVE-2014-0179
92	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0179
93	[ 15 ] CVE-2014-1447
94	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1447
95	[ 16 ] CVE-2014-3633
96	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3633
97	[ 17 ] CVE-2014-5177
98	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5177
99	[ 18 ] CVE-2014-7823
100	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7823
101
102	Availability
103	============
104
105	This GLSA and any updates to it are available for viewing at
106	the Gentoo Security Website:
107
108	http://security.gentoo.org/glsa/glsa-201412-04.xml
109
110	Concerns?
111	=========
112
113	Security is a primary focus of Gentoo Linux and ensuring the
114	confidentiality and security of our users' machines is of utmost
115	importance to us. Any security concerns should be addressed to
116	security@g.o or alternatively, you may file a bug at
117	https://bugs.gentoo.org.
118
119	License
120	=======
121
122	Copyright 2014 Gentoo Foundation, Inc; referenced text
123	belongs to its owner(s).
124
125	The contents of this document are licensed under the
126	Creative Commons - Attribution / Share Alike license.
127
128	http://creativecommons.org/licenses/by-sa/2.5