Your message dated Thu, 09 Jan 2014 09:19:27 +0000 with message-id <e1w1blv-0001vx...@franck.debian.org> and subject line Bug#734556: fixed in libvirt 1.2.1~rc1-1 has caused the Debian Bug report #734556, regarding libvirt: CVE-2013-6458: qemu: job usage issue in several APIs leading to libvirtd crash to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 734556: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734556 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libvirt Severity: grave Tags: security upstream patch fixed-upstream Hi Guido, Disclaimer: I have not checked to reproduce the crash, just shortly checked latest unstable version. Have set grave as per "[...] could allow an attacker who is able to establish a read-only connection to libvirtd to crash libvirtd". the following vulnerability was published for libvirt. CVE-2013-6458[0]: job usage issue in several APIs leading to libvirtd crash If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6458 http://security-tracker.debian.org/tracker/CVE-2013-6458 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1048631 [2] http://libvirt.org/git/?p=libvirt.git;a=commit;h=db86da5ca2109e4006c286a09b6c75bfe10676ad (upstream fix) Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libvirt Source-Version: 1.2.1~rc1-1 We believe that the bug you reported is fixed in the latest version of libvirt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 734...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guido Günther <a...@sigxcpu.org> (supplier of updated libvirt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 09 Jan 2014 08:23:57 +0100 Source: libvirt Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev libvirt-sanlock Architecture: source i386 all Version: 1.2.1~rc1-1 Distribution: experimental Urgency: medium Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintain...@lists.alioth.debian.org> Changed-By: Guido Günther <a...@sigxcpu.org> Description: libvirt-bin - programs for the libvirt library libvirt-dev - development files for the libvirt library libvirt-doc - documentation for the libvirt library libvirt-sanlock - library for interfacing with different virtualization systems libvirt0 - library for interfacing with different virtualization systems libvirt0-dbg - library for interfacing with different virtualization systems Closes: 734556 Changes: libvirt (1.2.1~rc1-1) experimental; urgency=medium . [ Laurent Bigonville ] * [f6b0feb] Pass --with-selinux-mount=/sys/fs/selinux to ./configure. The buildd are not running selinux and this make the auto-detection code defaults to /selinux which is actually not existing anymore in sid. This complete the fix for SELinux support. . [ Guido Günther ] * Upload to experimental * [20d9129] Enable parallel build support. Thanks to Felix Geyer for pointing this out * [0d0590e] New upstream version 1.2.1~rc1. Fixes CVE-2013-6458 (Closes: #734556) * [a3f978b] Bump symbol versions * [0a6a276] Rediff patches. Dropped (fixed upstream): security-fix-crash-in-lxcDomainGetMemoryParameters.patch security-fix-crash-in-lxcDomainSetMemoryParameters.patch * [3061b11] Build with apparmor support. Note that this isn't enough to run with apparmor support since the profiles will need more work but it makes testing this a lot simpler. This is heavily based on a patch by Felix Geyer. See: #725144 Checksums-Sha1: 25c3c7a81cc2e006bfc6e1c7d903971830faca68 2614 libvirt_1.2.1~rc1-1.dsc ff8c8769f20fb2d6c92bbf6769b5d7a4248e05bb 27094280 libvirt_1.2.1~rc1.orig.tar.gz 06f6f7ee7e1cdfa294d58ada0fc5b75650b072c3 44230 libvirt_1.2.1~rc1-1.debian.tar.gz a5542ab0b7064967d278be488b95145537a35dc6 3556670 libvirt-bin_1.2.1~rc1-1_i386.deb eb31792bc9a86bef698b6e1a4a2f47ebf39b49b4 2503934 libvirt0_1.2.1~rc1-1_i386.deb cdc2ff56d8ae1a597f170af7687d3a5928b60aca 7745244 libvirt0-dbg_1.2.1~rc1-1_i386.deb 51009fe17eabe8dbdc5aa30a78073a060ab97fd3 2751810 libvirt-doc_1.2.1~rc1-1_all.deb ecbdff790ca113146874c5cda1edc6f217181f60 1814106 libvirt-dev_1.2.1~rc1-1_i386.deb ccc09b09b915225f0ee0da7659149d2cd03c0215 1747024 libvirt-sanlock_1.2.1~rc1-1_i386.deb Checksums-Sha256: d2a1cdbd70eddf1a9df57024d5fcefefecdbc305cce5a65b70e3ee9779370509 2614 libvirt_1.2.1~rc1-1.dsc 00bcd6f9874b78872224658bd4a795bf2cca3d57149779ff9111e00f246858ca 27094280 libvirt_1.2.1~rc1.orig.tar.gz 21f670df0564570d07cd93df8c89af8a4d6c6adbb9dc5aa6af2bcb085a3b5708 44230 libvirt_1.2.1~rc1-1.debian.tar.gz 5cf3ff7e1fe1c502c0f1c455851fd9bd9ef14ad34d7eb04b8e5d73bf8d60d5f0 3556670 libvirt-bin_1.2.1~rc1-1_i386.deb 2bd9a076198694c7bdfa82208c0ea9fc04beb94efc32a88e097bf7a08edf0ef5 2503934 libvirt0_1.2.1~rc1-1_i386.deb 4930b4ec1e20176d133166b42af3de09304e87a724b075d6fea26c7a2d7166bc 7745244 libvirt0-dbg_1.2.1~rc1-1_i386.deb 3a31bba607f3743a5fd9bf97a000df63a47187775482d68a753b813fe14df7a8 2751810 libvirt-doc_1.2.1~rc1-1_all.deb c44e688ef120106b3d77044acd34c69d9368984c65a55168e92a717d7bcb1ab2 1814106 libvirt-dev_1.2.1~rc1-1_i386.deb ca093552141819f11b1751c1d420fa2441c5af8805c3c2554005be357ce6ae8f 1747024 libvirt-sanlock_1.2.1~rc1-1_i386.deb Files: aca75acb7a6124ee4faaf3aa5cb0f62b 2614 libs optional libvirt_1.2.1~rc1-1.dsc c3a03a9594cd42ab39de3317d3f359e6 27094280 libs optional libvirt_1.2.1~rc1.orig.tar.gz 0759c83a976d8b863de7d6973ec49d33 44230 libs optional libvirt_1.2.1~rc1-1.debian.tar.gz 1c117ff1171e6536655449eadf02d712 3556670 admin optional libvirt-bin_1.2.1~rc1-1_i386.deb 4538ad204f30fb3f297f26d729f8d6cb 2503934 libs optional libvirt0_1.2.1~rc1-1_i386.deb dd20b156ce43dd25b4603c1edf7ac37b 7745244 debug extra libvirt0-dbg_1.2.1~rc1-1_i386.deb c85020541b7d83349a37a4979e6870ed 2751810 doc optional libvirt-doc_1.2.1~rc1-1_all.deb fa378a2b25e2ee9c27d2c1ae3a9c4da2 1814106 libdevel optional libvirt-dev_1.2.1~rc1-1_i386.deb eaf2edcafc08c3b1079a0e1fcbcc6604 1747024 libs extra libvirt-sanlock_1.2.1~rc1-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iD8DBQFSzl4On88szT8+ZCYRAvwfAJ4md40WN9/HOO9uEXG9z1MuBjGm3ACfSvZJ oPgvZAj+I2ly6GD3cCXc4uw= =87fR -----END PGP SIGNATURE-----
--- End Message ---
