Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Mageia 7: 2019-0390 Moderate: Libvirt Information Leak and Execution Issues

mageia
Calendar Grey December 15, 2019
Dist Mageia Esm H88
Recent updates for libvirt in Mageia tackle severe security vulnerabilities, such as a data exposure risk and incorrect permission configurations.
Updated libvirt packages fix security vulnerabilities: An information leak which allowed to retrieve the guest hostname under readonly mode (CVE-2019-3886)

Summary

Updated libvirt packages fix security vulnerabilities:
An information leak which allowed to retrieve the guest hostname under readonly mode (CVE-2019-3886).
Wrong permissions in systemd admin-sock due to missing SocketMode parameter (CVE-2019-10132).
Arbitrary file read/exec via virDomainSaveImageGetXMLDesc API (CVE-2019-10161).
virDomainManagedSaveDefineXML API exposed to readonly clients (CVE-2019-10166).
Arbitrary command execution via virConnectGetDomainCapabilities API (CVE-2019-10167).
Arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs (CVE-2019-10168).
Also, this update contains the libvirt adjustments, that pass through the new 'md-clear' CPU flag, to help address Intel CPU speculative execution flaws.

References

- https://bugs.mageia.org/show_bug.cgi?id=24757

- - https://access.redhat.com/errata/RHSA-2019:1264

- https://access.redhat.com/errata/RHSA-2019:1579

- - https://www.cve.org/CVERecord?id=CVE-2019-3886

- https://www.cve.org/CVERecord?id=CVE-2019-10132

- https://www.cve.org/CVERecord?id=CVE-2019-10161

- https://www.cve.org/CVERecord?id=CVE-2019-10166

- https://www.cve.org/CVERecord?id=CVE-2019-10167

- https://www.cve.org/CVERecord?id=CVE-2019-10168

Topics%20covered

Topics Covered

security advisory information leak permissions issue arbitrary execution libvirt Mageia

Resolution

SRPMS

- 7/core/libvirt-5.5.0-1.mga7

- 7/core/python-libvirt-5.5.0-1.mga7

Severity
important
Lowest
Low
Medium
High
Critical

Publication date: 15 Dec 2019
URL: https://advisories.mageia.org/MGASA-2019-0390.html
Type: security
CVE: CVE-2019-3886, CVE-2019-10132, CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168

Topics%20covered

Topics Covered

security advisory information leak permissions issue arbitrary execution libvirt Mageia

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here