Bugzilla – Bug 857490
VUL-0: CVE-2013-6456: libvirtd: unsafe usage of paths under /proc/$PID/root
Last modified: 2014-06-12 17:04:24 UTC
CVE-2013-6456 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6456 https://bugzilla.redhat.com/show_bug.cgi?id=1048627
bugbot adjusting priority
Is this also something that only needs openSUSE updates?
This issue affects libvirt 1.0.1 through 1.2.1 inclusive, meaning openSUSE13.1, Factory, SLES11 SP3, and SLE12. In fact, the issue still exists in libvirt git master - there is no solution yet afaict.
I should mention, we don't support libvirt-lxc on SLE11, so fixing this in SP3 is not that urgent IMO.
Fixed in SLE12 beta2 (SR#33711) and Factory (SR#224371) via update to libvirt 1.2.2 release. I believe the only thing left to do is backport the patches to 13.1.
This is an autogenerated message for OBS integration: This bug (857490) was mentioned in https://build.opensuse.org/request/show/224371 Factory / libvirt
Backported in Devel:Virt:SLE-11-SP3/libvirt and Virtualization:openSUSE13.1/libvirt.
security-team: A libvirt update was recently released for SLE11 SP3, so it is not clear if we want to do another one right away. Should this just be queued for a future maintenance cycle?
This is an autogenerated message for OBS integration: This bug (857490) was mentioned in https://build.opensuse.org/request/show/227061 13.1 / libvirt
no immediate action, but please include in next one.
Affected packages: SLE-11-SP3: libvirt
openSUSE-SU-2014:0593-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 852005,857490,868943,871154,873103 CVE References: CVE-2013-6456,CVE-2013-7336 Sources used: openSUSE 13.1 (src): libvirt-1.1.2-2.26.1
This is now fixed
Update released for: libvirt, libvirt-client, libvirt-client-32bit, libvirt-client-64bit, libvirt-client-x86, libvirt-debuginfo, libvirt-debugsource, libvirt-devel, libvirt-devel-32bit, libvirt-devel-64bit, libvirt-doc, libvirt-lock-sanlock, libvirt-python Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SUSE-SU-2014:0785-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 857490,873705 CVE References: CVE-2013-6456,CVE-2014-0179 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): libvirt-1.0.5.9-0.9.1 SUSE Linux Enterprise Server 11 SP3 (src): libvirt-1.0.5.9-0.9.1 SUSE Linux Enterprise Desktop 11 SP3 (src): libvirt-1.0.5.9-0.9.1