Explore top 10 tips to secure your open-source projects now. Read More
×
All libvirt users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements. After installing the updated packages, libvirtd will be
restarted automatically.
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
The libvirt library is a C API for managing and interacting with the
virtualization capabilities of Linux and other operating systems.
It was found that QEMU's qemuDomainMigratePerform() and
qemuDomainMigrateFinish2() functions did not correctly perform a domain
unlock on a failed ACL check. A remote attacker able to establish a
connection to libvirtd could use this flaw to lock a domain of a more
privileged user, causing a denial of service. (CVE-2014-8136)
It was discovered that the virDomainSnapshotGetXMLDesc() and
virDomainSaveImageGetXMLDesc() functions did not sufficiently limit the
usage of the VIR_DOMAIN_XML_SECURE flag when fine-grained ACLs were
enabled. A remote attacker able to establish a connection to libvirtd could
use this flaw to obtain certain sensitive information from the domain XML
file. (CVE-2015-0236)
The CVE-2015-0236 issue was found by Luyao Huang of Red Hat.
Bug fixes:
* The libvirtd daemon previously attempted to search for SELinux contexts
even when SELinux was disabled on the host. Consequently, libvirtd logged
"Unable to lookup SELinux process context" error messages every time a
client connected to libvirtd and SELinux was disabled. libvirtd now
verifies whether SELinux is enabled before searching for SELinux contexts,
and no longer logs the error messages on a host with SELinux disabled.
(BZ#1135155)
* The libvirt utility passed incomplete PCI addresses to QEMU.
Consequently, assigning a PCI device that had a PCI address with a non-zero
domain to a guest failed. Now, libvirt properly passes PCI domain to QEMU
when assigning PCI devices, which prevents the described problem.
(BZ#1127080)
* Because the virDomainSetMaxMemory API did not allow changing the current
memory in the LXC driver, the "virsh setmaxmem" command failed when
attempting to set the maximum memory to be lower than the current memory.
Now, "virsh setmaxmem" sets the current memory to the intended value of the
maximum memory, which avoids the mentioned problem. (BZ#1091132)
* Attempting to start a non-existent domain caused network filters to stay
locked for read-only access. Because of this, subsequent attempts to gain
read-write access to network filters triggered a deadlock. Network filtersare now properly unlocked in the described scenario, and the deadlock no
longer occurs. (BZ#1088864)
* If a guest configuration had an active nwfilter using the DHCP snooping
feature and an attempt was made to terminate libvirtd before the associated
nwfilter rule snooped the guest IP address from DHCP packets, libvirtd
became unresponsive. This problem has been fixed by setting a longer wait
time for snooping the guest IP address. (BZ#1075543)
Enhancements:
* A new "migrate_host" option is now available in /etc/libvirt/qemu.conf,
which allows users to set a custom IP address to be used for incoming
migrations. (BZ#1087671)
* With this update, libvirt is able to create a compressed memory-only
crash dump of a QEMU domain. This type of crash dump is directly readable
by the GNU Debugger and requires significantly less hard disk space than
the standard crash dump. (BZ#1035158)
* Support for reporting the NUMA node distance of the host has been added
to libvirt. This enhances the current libvirt capabilities for reporting
NUMA topology of the host, and allows for easier optimization of new
domains. (BZ#1086331)
* The XML file of guest and host capabilities generated by the "virsh
capabilities" command has been enhanced to list the following information,
where relevant: the interface speed and link status of the host, the PCI
Express (PCIe) details, the host's hardware support for I/O virtualization,
and a report on the huge memory pages. (BZ#1076960, BZ#1076957, BZ#1076959,
BZ#1076962)
These packages also include a number of other bug fixes and enhancements.
For additional details, see the "Bugs Fixed" section below.
https://access.redhat.com/security/cve/CVE-2014-8136 https://access.redhat.com/security/cve/CVE-2015-0236 https://access.redhat.com/security/updates/classification#low
Red Hat Enterprise Linux Client (v. 7):
Source:
libvirt-1.2.8-16.el7.src.rpm
x86_64:
libvirt-1.2.8-16.el7.x86_64.rpm
libvirt-client-1.2.8-16.el7.i686.rpm
libvirt-client-1.2.8-16.el7.x86_64.rpm
libvirt-daemon-1.2.8-16.el7.x86_64.rpm
libvirt-daemon-config-network-1.2.8-16.el7.x86_64.rpm
libvirt-daemon-config-nwfilter-1.2.8-16.el7.x86_64.rpm
libvirt-daemon-driver-interface-1.2.8-16.el7.x86_64.rpm
libvirt-daemon-driver-lxc-1.2.8-16.el7.x86_64.rpm
libvirt-daemon-driver-network-1.2.8-16.el7.x86_64.rpm
libvirt-daemon-driver-nodedev-1.2.8-16.el7.x86_64.rpm
libvirt-daemon-driver-nwfilter-1.2.8-16.el7.x86_64.rpm
libvirt-daemon-driver-qemu-1.2.8-16.el7.x86_64.rpm
libvirt-daemon-driver-secret-1.2.8-16.el7.x86_64.rpm
libvirt-daemon-driver-storage-1.2.8-16.el7.x86_64.rpm
libvirt-daemon-kvm-1.2.8-16.el7.x86_64.rpm
libvirt-debuginfo-1.2.8-16.el7.i686.rpm
libvirt-debuginfo-1.2.8-16.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
libvirt-daemon-lxc-1.2.8-16.el7.x86_64.rpm
libvirt-debuginfo-1.2.8-16.el7.i686.rpm
libvirt-debuginfo-1.2.8-16.el7.x86_64.rpm
libvirt-devel-1.2.8-16.el7.i686.rpm
libvirt-devel-1.2.8-16.el7.x86_64.rpm
libvirt-docs-1.2.8-16.el7.x86_64.rpm
libvirt-lock-sanlock-1.2.8-16.el7.x86_64.rpm
libvirt-login-shell-1.2.8-16.el7.x86_64.rpm
Read the Full Advisory
Updated libvirt packages that fix two security issues, several bugs, andadd various enhancements are now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having Low securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
706887 - [TestOnly] qemu truncates JSON numbers >= 0x8000_0000_0000_0000
765733 - Error reporting when qemu terminates unexpectedly is inconsistent and sometimes unhelpful
823535 - Libvirt is sensitive to the order in which the video devices are passed
872628 - List available LXC consoles using container_ttys env variable
874418 - clear the error message when dump a guest with pass-through device
876829 - create external checkpoint snapshot will change the guest pmsuspended state and guest hang forever
877244 - Virsh command will delay a long time if restart libvirtd with many virtual networks running
878394 - virsh iface-dumpxml or virt-manager reports "bond interface misses the bond element" for inactive bond interfaces
880483 - Guest can use inactive macvtap-passthrough network
921094 - Missing auditing for serial, parallel, channel, console and smartcard devices
924853 - blockcopy to cifs fails
956506 - virsh snapshot-delete --children-only bypasses safety check for deleting disk-only children
957293 - support libiscsi for SCSI passthrough devices
963817 - Stable SCSI host addressing
964177 - virConnectDomainEventRTCChangeCallback returns wrong offset
967493 - Lockfailure action Ignore will lead to sanlock rem_lockspace stuck
967494 - Lockfailure action Restart can shutdown the guest but fail to start it
972964 - WWN option for Hot Attaching SCSI Disks
Get the latest Linux and open source security news straight to your inbox.