Guilhem Moulin pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
97397100 by Guilhem Moulin at 2024-04-01T13:45:40+02:00
Reserve DLA-3778-1 for libvirt
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -5707,13 +5707,11 @@ CVE-2024-2496 (A NULL pointer dereference flaw was
found in the udevConnectListA
- libvirt 9.8.0-1
[bookworm] - libvirt <no-dsa> (Minor issue)
[bullseye] - libvirt <no-dsa> (Minor issue)
- [buster] - libvirt <postponed> (Minor issue; DoS / clean crash)
NOTE: Fixed by:
https://gitlab.com/libvirt/libvirt/-/commit/2ca94317ac642a70921947150ced8acc674ccdc8
(v9.8.0-rc1)
CVE-2024-1441 (An off-by-one error flaw was found in the
udevListInterfacesByStatus() ...)
- libvirt 10.1.0-1 (bug #1066058)
[bookworm] - libvirt <no-dsa> (Minor issue)
[bullseye] - libvirt <no-dsa> (Minor issue)
- [buster] - libvirt <postponed> (Minor issue; very rare crash before
v5.10)
NOTE: Introduced by:
https://gitlab.com/libvirt/libvirt/-/commit/5a33366f5c0b18c93d161bd144f9f079de4ac8ca
(v1.0.0-rc1)
NOTE: Introduced by:
https://gitlab.com/libvirt/libvirt/-/commit/d6064e2759a24e0802f363e3a810dc5a7d7ebb15
(v5.10.0-rc1)
NOTE: Fixed by:
https://gitlab.com/libvirt/libvirt/-/commit/c664015fe3a7bf59db26686e9ed69af011c6ebb8
(v10.1.0)
@@ -149897,7 +149895,6 @@ CVE-2022-0898 (The IgniteUp WordPress plugin through
3.4.1 does not sanitise and
CVE-2022-0897 (A flaw was found in the libvirt nwfilter driver. The
virNWFilterObjLis ...)
- libvirt 8.2.0-1 (bug #1009075)
[bullseye] - libvirt <no-dsa> (Minor issue)
- [buster] - libvirt <no-dsa> (Minor issue)
[stretch] - libvirt <postponed> (Minor issue)
NOTE:
https://gitlab.com/libvirt/libvirt/-/commit/a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36
(v8.2.0-rc1)
CVE-2022-0896 (Improper Neutralization of Special Elements Used in a Template
Engine ...)
@@ -167439,7 +167436,6 @@ CVE-2021-4148 (A vulnerability was found in the Linux
kernel's block_invalidatep
CVE-2021-4147 (A flaw was found in the libvirt libxl driver. A malicious guest
could ...)
- libvirt 7.10.0-2 (bug #1002535)
[bullseye] - libvirt <no-dsa> (Minor issue)
- [buster] - libvirt <no-dsa> (Minor issue)
[stretch] - libvirt <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2034195
NOTE:
https://listman.redhat.com/archives/libvir-list/2021-November/msg00908.html
@@ -172486,7 +172482,6 @@ CVE-2021-3976 (kimai2 is vulnerable to Cross-Site
Request Forgery (CSRF))
CVE-2021-3975 (A use-after-free flaw was found in libvirt. The
qemuMonitorUnregister( ...)
- libvirt 7.6.0-1
[bullseye] - libvirt <no-dsa> (Minor issue)
- [buster] - libvirt <no-dsa> (Minor issue)
[stretch] - libvirt <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2024326
NOTE: Fixed by:
https://github.com/libvirt/libvirt/commit/1ac703a7d0789e46833f4013a3876c2e3af18ec7
(v7.1.0-rc2)
@@ -192924,7 +192919,6 @@ CVE-2021-37579 (The Dubbo Provider will check the
incoming request and the corre
CVE-2021-3667 (An improper locking issue was found in the
virStoragePoolLookupByTarge ...)
- libvirt 7.6.0-1 (bug #991594)
[bullseye] - libvirt <no-dsa> (Minor issue)
- [buster] - libvirt <no-dsa> (Minor issue)
[stretch] - libvirt <not-affected> (Introduced in 4.1)
NOTE:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=447f69dec47e1b0bd15ecd7cd49a9fd3b050fb87
(v7.6.0-rc1)
NOTE: Introduced in
https://libvirt.org/git/?p=libvirt.git;a=commit;h=7aa0e8c0cb8a6293d0c6f7e3d29c13b96dec2129
@@ -196603,7 +196597,6 @@ CVE-2017-20006 (UnRAR 5.6.1.2 and 5.6.1.3 has a
heap-based buffer overflow in Un
CVE-2021-3631 (A flaw was found in libvirt while it generates SELinux MCS
category pa ...)
- libvirt 7.6.0-1 (bug #990709)
[bullseye] - libvirt <no-dsa> (Minor issue)
- [buster] - libvirt <no-dsa> (Minor issue)
[stretch] - libvirt <no-dsa> (Minor issue)
NOTE: https://gitlab.com/libvirt/libvirt/-/issues/153
NOTE: Fixed by:
https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2
(v7.5.0)
@@ -255374,7 +255367,6 @@ CVE-2020-25638 (A flaw was found in hibernate-core in
versions prior to and incl
CVE-2020-25637 (A double free memory issue was found to occur in the libvirt
API, in v ...)
{DLA-2395-1}
- libvirt 6.8.0-1 (bug #971555)
- [buster] - libvirt <no-dsa> (Minor issue)
NOTE: Introduced by:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=0977b8aa071de550e1a013d35e2c72615e65d520
(v1.2.14-rc1)
NOTE: Fixed by:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=955029bd0ad7ef96000f529ac38204a8f4a96401
(v6.8.0)
NOTE: Fixed by:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=50864dcda191eb35732dbd80fb6ca251a6bba923
(v6.8.0)
@@ -286363,7 +286355,6 @@ CVE-2020-12431 (A Windows privilege change issue was
discovered in Splashtop Sof
CVE-2020-12430 (An issue was discovered in qemuDomainGetStatsIOThread in
qemu/qemu_dri ...)
[experimental] - libvirt 6.2.0-1
- libvirt 6.4.0-2 (low; bug #959447)
- [buster] - libvirt <no-dsa> (Minor issue)
[stretch] - libvirt <not-affected> (Vulnerable code introduced later)
[jessie] - libvirt <not-affected> (Vulnerable code introduced later)
NOTE: Fixed by:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=9bf9e0ae6af38c806f4672ca7b12a6b38d5a9581
(v6.1.0-rc1)
@@ -292586,7 +292577,6 @@ CVE-2020-10704 (A flaw was found when using samba as
an Active Directory Domain
NOTE: https://www.samba.org/samba/security/CVE-2020-10704.html
CVE-2020-10703 (A NULL pointer dereference was found in the libvirt API
responsible in ...)
- libvirt 6.0.0-2
- [buster] - libvirt <no-dsa> (Minor issue)
[stretch] - libvirt <not-affected> (Vulnerable code introduced later)
[jessie] - libvirt <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1790725
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[01 Apr 2024] DLA-3778-1 libvirt - security update
+ {CVE-2020-10703 CVE-2020-12430 CVE-2020-25637 CVE-2021-3631
CVE-2021-3667 CVE-2021-3975 CVE-2021-4147 CVE-2022-0897 CVE-2024-1441
CVE-2024-2494 CVE-2024-2496}
+ [buster] - libvirt 5.0.0-4+deb10u2
[27 Mar 2024] DLA-3777-1 composer - security update
{CVE-2023-43655}
[buster] - composer 1.8.4-1+deb10u3
=====================================
data/dla-needed.txt
=====================================
@@ -149,11 +149,6 @@ libstb
NOTE: 20240314: several CVEs fixed in DLA-3305-1 remain unfixed (no-dsa) in
bullseye
NOTE: 20240314: and bookwork. Uploads to spu and ospu should be coordinated.
(roberto)
--
-libvirt (guilhem)
- NOTE: 20240316: Added by Front-Desk (Beuc)
- NOTE: 20240316: A few years of minor vulnerabilities piled up;
- NOTE: 20240316: coordinate with stable/oldstable to fix them uniformly
(Beuc/front-desk)
---
linux (Ben Hutchings)
NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9739710098cfd6b81354dd6bbe64c9049ea55c5a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9739710098cfd6b81354dd6bbe64c9049ea55c5a
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
