USN-2404-1: libvirt vulnerabilities

11 November 2014

Several security issues were fixed in libvirt.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

  • libvirt - Libvirt virtualization toolkit

Details

Pavel Hrdina discovered that libvirt incorrectly handled locking when
processing the virConnectListAllDomains command. An attacker could use this
issue to cause libvirtd to hang, resulting in a denial of service.
(CVE-2014-3657)

Eric Blake discovered that libvirt incorrectly handled permissions when
processing the qemuDomainFormatXML command. An attacker with read-only
privileges could possibly use this to gain access to certain information
from the domain xml file. (CVE-2014-7823)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.10
Ubuntu 14.04

After a standard system update you need to reboot your computer to make
all the necessary changes.