On Tue, Sep 26, 2023 at 02:12:27PM -0500, Eric Blake wrote: > We have discovered a security flaw with potential minor impact in > libnbd. > > Lifecycle > --------- > > Reported: 2023-09-17 Fixed: 2023-09-22 Published: 2023-09-26 > > At the time of this email, the Red Hat security team is analyzing > potential security impacts to determine if a CVE is warranted against > libnbd; if one is assigned, a followup email will announce that > identifier. However, even if a CVE is not assigned to libnbd, the > issues documented here warrant an audit of clients that utilize the > nbd_get_size() API from libnbd, to see if they might be subject to a > weakness when interpreting a large size as a negative value. The > libnbd developers felt it more important to issue this security notice > prior to the release of v1.18 than to hold up the release schedule > waiting for final analysis on whether libnbd needs a CVE.
The Red Hat security team assigned this CVE-2023-5215 as a low-impact security vulnerability, with a rating of low impact severity. -- Eric Blake, Principal Software Engineer Red Hat, Inc. Virtualization: qemu.org | libguestfs.org _______________________________________________ Libguestfs mailing list Libguestfs@redhat.com https://listman.redhat.com/mailman/listinfo/libguestfs
