[Pkg-libvirt-maintainers] Bug#889839: Bug#889839: libvirt: CVE-2018-6764
Guido Günther
agx at sigxcpu.org
Thu Feb 8 18:28:17 UTC 2018
Hi Salvatore,
On Wed, Feb 07, 2018 at 07:15:50PM +0100, Salvatore Bonaccorso wrote:
> Source: libvirt
> Version: 4.0.0-1
> Severity: important
> Tags: patch security upstream
>
> Hi Guido,
>
> the following vulnerability was published for libvirt.
>
> CVE-2018-6764[0]:
> |guest could inject executable code via libnss_dns.so loaded by
> |libvirt_lxc before init
>
> Commit is at [1]. I see the 1ce929603ba8ebc3b0dc4ff39df9619c87723f42
> commit upstream introduced the inclusion of hostname in the initial
> log message. But the hostname getting is already present before that
> commit, can you pin point which is the arliest version including the
> issue?
At least 1.3.1 onward are affected (but I think that's it). Given the
little use of libvirt-lxc and the fact that you need apparmor/selinux
for a safe container anyway fixing this via a point release will be
enough.
Cheers,
-- Guido
More information about the Pkg-libvirt-maintainers
mailing list