On Sat, May 10, 2025 at 10:44:36AM +0100, Richard W.M. Jones via Libguestfs wrote: > On Sat, May 10, 2025 at 10:08:30AM +0100, Richard W.M. Jones wrote: > > On Thu, May 08, 2025 at 01:51:21PM -0500, Eric Blake via Libguestfs wrote: > > > On Wed, Apr 23, 2025 at 04:06:44PM -0500, Eric Blake via Libguestfs wrote: > > > > Still waiting on Red Hat's security team to decide if these get CVE > > > > designations, but at this point, we consider the impact to be low > > > > enough severity (easy to avoid if your server rejects malicious > > > > clients by the use of TLS) and related enough that there is no longer > > > > any need to embargo the second one. > > > > > > > > I'll wait a bit longer to apply, to provide time to update the subject > > > > lines according to whether we get CVEs assigned. > > > > > > > > Eric Blake (2): > > > > server: Fix off-by-one for maximum block_status length [CVE-XXX] > > > > blocksize: Fix 32-bit overflow in .extents [CVE-XXXX] > > > > > > These have now been assigned CVE identifiers. CVE-2025-47711 is for > > > the server error with any plugin returning .extents of 4G or more, and > > > CVE-2025-47712 is for the blocksize filter bug on unaligned block > > > status requests near 4G. > > > > > > I am now in the process of applying the patches to mainline and > > > backporting them to branches that are still in active use; I will send > > > a followup mail with tests for vulnerable versions and version > > > numbers/commit ids to be used to avoid the problems, along with a > > > patch to docs/nbdkit-security.pod pointing to that eventual mail. > > > > Thanks Eric. The fixes are available in development version 1.43.7 > > and stable version 1.42.3. > > And now in stable versions 1.40.6 and 1.38.6.
The website is now updated too: https://libguestfs.org/nbdkit-security.1.html Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html _______________________________________________ Libguestfs mailing list -- guestfs@lists.libguestfs.org To unsubscribe send an email to guestfs-le...@lists.libguestfs.org
