File _patchinfo of Package patchinfo.11618

Overview Repositories Revisions Requests Users Attributes Meta

File _patchinfo of Package patchinfo.11618

<patchinfo incident="11618">
  <issue tracker="bnc" id="1138301">VUL-0: EMBARGOED: CVE-2019-10161: libvirt: api: disallow virDomainSaveImageGetXMLDesc on read-only connections</issue>
  <issue tracker="bnc" id="1138303">VUL-0: EMBARGOED: CVE-2019-10167: libvirt: api: disallow virConnectGetDomainCapabilities on read-only connections</issue>
  <issue tracker="bnc" id="1138302">VUL-0: EMBARGOED: CVE-2019-10166: libvirt: api: disallow virDomainManagedSaveDefineXML on read-only connections</issue>
  <issue tracker="bnc" id="1138305">VUL-0: EMBARGOED: CVE-2019-10168: libvirt: api: disallow virConnect*HypervisorCPU on read-only connections</issue>
  <issue tracker="cve" id="2019-10161"/>
  <issue tracker="cve" id="2019-10168"/>
  <issue tracker="cve" id="2019-10167"/>
  <issue tracker="cve" id="2019-10166"/>
  <category>security</category>
  <rating>important</rating>
  <packager>jfehlig</packager>
  <description>This update for libvirt fixes the following issues:

Security issues fixed:

- CVE-2019-10161: Fixed virDomainSaveImageGetXMLDesc API which could accept a path
  parameter pointing anywhere on the system and potentially leading to execution 
  of a malicious file with root privileges by libvirtd (bsc#1138301). 
- CVE-2019-10166: Fixed an issue with virDomainManagedSaveDefineXML which could have 
  been used to alter the domain's config used for managedsave or execute arbitrary 
  emulator binaries (bsc#1138302).
- CVE-2019-10167: Fixed an issue with virConnectGetDomainCapabilities API which 
  could have been used to execute arbitrary emulators (bsc#1138303).
- CVE-2019-10168: Fixed an issue with virConnect*HypervisorCPU API which   
  could have been used to execute arbitrary emulators (bsc#1138305).
</description>
  <summary>Security update for libvirt</summary>
</patchinfo>

Places

File _patchinfo of Package patchinfo.11618

Places