Your submission was sent successfully! Close

USN-2404-1: libvirt vulnerabilities

11 November 2014

Several security issues were fixed in libvirt.

Releases

Packages

  • libvirt - Libvirt virtualization toolkit

Details

Pavel Hrdina discovered that libvirt incorrectly handled locking when
processing the virConnectListAllDomains command. An attacker could use this
issue to cause libvirtd to hang, resulting in a denial of service.
(CVE-2014-3657)

Eric Blake discovered that libvirt incorrectly handled permissions when
processing the qemuDomainFormatXML command. An attacker with read-only
privileges could possibly use this to gain access to certain information
from the domain xml file. (CVE-2014-7823)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.10
Ubuntu 14.04

After a standard system update you need to reboot your computer to make
all the necessary changes.