[Pkg-libvirt-maintainers] Bug#889839: libvirt: CVE-2018-6764
Salvatore Bonaccorso
carnil at debian.org
Wed Feb 7 18:15:50 UTC 2018
Source: libvirt
Version: 4.0.0-1
Severity: important
Tags: patch security upstream
Hi Guido,
the following vulnerability was published for libvirt.
CVE-2018-6764[0]:
|guest could inject executable code via libnss_dns.so loaded by
|libvirt_lxc before init
Commit is at [1]. I see the 1ce929603ba8ebc3b0dc4ff39df9619c87723f42
commit upstream introduced the inclusion of hostname in the initial
log message. But the hostname getting is already present before that
commit, can you pin point which is the arliest version including the
issue?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-6764
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6764
[1] https://libvirt.org/git/?p=libvirt.git;a=commit;h=759b4d1b0fe5f4d84d98b99153dfa7ac289dd167
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-libvirt-maintainers
mailing list