-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2019-b2dfb13daf 2019-07-09 00:54:58.976004 --------------------------------------------------------------------------------
Name : libvirt Product : Fedora 30 Version : 5.1.0 Release : 9.fc30 URL : https://libvirt.org/ Summary : Library providing a simple virtualization API Description : Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes). The main package includes the libvirtd server exporting the virtualization support.
-------------------------------------------------------------------------------- Update Information:
* CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API (bz #1722463, bz #1720115) * CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly clients (bz #1722462, bz #1720114) * CVE-2019-10167: arbitrary command execution via virConnectGetDomainCapabilities API (bz #1722464, bz #1720117) * CVE-2019-10168: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs (bz #1722466, bz #1720118) * CVE-2019-3886: virsh domhostname command discloses guest hostname in readonly mode [fedora-rawhide * Cannot start VM with a CBR 2.0 TPM device (bz #1712556) * libvirtd does not update VM .xml configurations after virsh snapshot/blockcommit (bz #1722348) -------------------------------------------------------------------------------- ChangeLog:
* Thu Jun 20 2019 Cole Robinson crobinso@redhat.com - 5.1.0-9 - CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API (bz #1722463, bz #1720115) - CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly clients (bz #1722462, bz #1720114) - CVE-2019-10167: arbitrary command execution via virConnectGetDomainCapabilities API (bz #1722464, bz #1720117) - CVE-2019-10168: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs (bz - CVE-2019-3886: virsh domhostname command discloses guest hostname in readonly mode [fedora-rawhide - Cannot start VM with a CBR 2.0 TPM device (bz #1712556) - libvirtd does not update VM .xml configurations after virsh snapshot/blockcommit (bz #1722348) * Fri May 31 2019 Adam Williamson awilliam@redhat.com - 5.1.0-8 - Fix scriptlet error when built without firewalld zone support * Wed May 29 2019 Adam Williamson awilliam@redhat.com - 5.1.0-7 - Pass --without-firewalld-zone to configure - Resolves: rhbz #1699051 * Tue May 21 2019 Daniel P. Berrang�� berrange@redhat.com - 5.1.0-6 - Fix systemd socket permissions - Resolves: rhbz #1712498 (CVE-2019-10132) * Tue May 14 2019 Daniel P. Berrang�� berrange@redhat.com - 5.1.0-5 - Define md-clear CPUID bit - Resolves: rhbz #1709977 (CVE-2018-12126), rhbz #1709979 (CVE-2018-12127), rhbz #1709997 (CVE-2018-12130), rhbz #1709984 (CVE-2019-11091) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1720115 - CVE-2019-10161 libvirt: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API https://bugzilla.redhat.com/show_bug.cgi?id=1720115 [ 2 ] Bug #1720114 - CVE-2019-10166 libvirt: virDomainManagedSaveDefineXML API exposed to readonly clients https://bugzilla.redhat.com/show_bug.cgi?id=1720114 [ 3 ] Bug #1720117 - CVE-2019-10167 libvirt: arbitrary command execution via virConnectGetDomainCapabilities API https://bugzilla.redhat.com/show_bug.cgi?id=1720117 [ 4 ] Bug #1720118 - CVE-2019-10168 libvirt: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs https://bugzilla.redhat.com/show_bug.cgi?id=1720118 [ 5 ] Bug #1694880 - CVE-2019-3886 libvirt: virsh domhostname command discloses guest hostname in readonly mode https://bugzilla.redhat.com/show_bug.cgi?id=1694880 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-b2dfb13daf' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------