Bugzilla – Bug 857492
VUL-0: CVE-2013-6458: libvirtd: qemu job usage issue in several API leading to libvirtd crash
Last modified: 2015-02-19 01:45:54 UTC
CVE-2013-6458 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6458 https://bugzilla.redhat.com/show_bug.cgi?id=1048631
bugbot adjusting priority
This issue affects openSUSE12.3, 13.1, and Factory, plus SLES11 SP3 and SLES12. For Factory and SLES12, the issue is fixed by updating to libvirt 1.2.1. For openSUSE13.1, I've backported the patches and have them queued for a future maintenance update in https://build.opensuse.org/package/show/Virtualization:openSUSE13.1/libvirt For openSUSE12.3 https://build.opensuse.org/package/show/Virtualization:openSUSE12.3/libvirt For SLES11 SP3, the issue is fixed in latest 1.0.5.9 stable release, which I've added to our SP3 libvirt package https://build.suse.de/package/show/Devel:Virt:SLE-11-SP3/libvirt This issue also affects SLES11 SP2, but I'd rather avoid fixing it there if possible. Is a fix for SLES11 SP2 required?
The SWAMPID for this issue is 56039. This issue was rated as moderate. Please submit fixed packages until 2014-02-11. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
I've submitted an updated libvirt package for the affected products. SLES11SP3: submitreq#32278 openSUSE12.3: maintenancerequest#221742 openSUSE13.1: maintenancerequest#221743 Handing bug over to security. Security: For SLES11 SP3 SWAMPID#56039, can we also include the updated libvirt perl binding submitted via SR#28929? Thanks!
Forgot to add myself to the cc list...
SLE11 SP1 and SLE10 SP4 and older do not have the code, so are not affected.
openSUSE-SU-2014:0268-1: An update that solves four vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 817407,857271,857492,858817,858824,859041,859051 CVE References: CVE-2013-6457,CVE-2013-6458,CVE-2014-0028,CVE-2014-1447 Sources used: openSUSE 13.1 (src): libvirt-1.1.2-2.18.3
openSUSE-SU-2014:0270-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 857492,858817 CVE References: CVE-2013-6458,CVE-2014-1447 Sources used: openSUSE 12.3 (src): libvirt-1.0.2-1.14.1
Update released for: libvirt, libvirt-client, libvirt-client-32bit, libvirt-client-64bit, libvirt-client-x86, libvirt-debuginfo, libvirt-debugsource, libvirt-devel, libvirt-devel-32bit, libvirt-devel-64bit, libvirt-doc, libvirt-lock-sanlock, libvirt-python Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SUSE-SU-2014:0318-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 817407,857492,858817 CVE References: CVE-2013-6458,CVE-2014-1447 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): libvirt-1.0.5.9-0.7.1 SUSE Linux Enterprise Server 11 SP3 (src): libvirt-1.0.5.9-0.7.1 SUSE Linux Enterprise Desktop 11 SP3 (src): libvirt-1.0.5.9-0.7.1