Hi Guido, On Fri, Apr 05, 2019 at 07:10:25PM +0200, Guido Günther wrote: > Hi, > On Thu, Apr 04, 2019 at 10:30:14PM +0200, Salvatore Bonaccorso wrote: > > Source: libvirt > > Version: 5.0.0-1 > > Severity: important > > Tags: security upstream > > Forwarded: > > https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html > > > > Hi, > > > > The following vulnerability was published for libvirt. > > > > CVE-2019-3886[0]: > > | An incorrect permissions check was discovered in libvirt 4.8.0 and > > | above. The readonly permission was allowed to invoke APIs depending on > > | the guest agent, which could lead to potentially disclosing unintended > > | information or denial of service by causing libvirt to block. > > > > I'm filling it here as well for ruther investigation. Is this only > > affecting versions >= 4.8.0? > > I'd assume this to affect older version as well (looking at the > fix). I'll prepare an upload once upstream has this in git.
Thanks. Yes I'm confused that it's claimed to be 4.8.0 onwards, but the submitted fix would in theory apply. Regards, Salvatore