Debian Bug report logs -
#878799
CVE-2017-1000256/LSN-2017-0002: TLS certificate verification disabled for clients
Reported by: Guido Günther <agx@sigxcpu.org>
Date: Mon, 16 Oct 2017 17:36:30 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version libvirt/2.3.0-1
Fixed in versions libvirt/3.8.0-3, libvirt/3.0.0-4+deb9u1
Done: Guido Günther <agx@sigxcpu.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>:
Bug#878799; Package src:libvirt.
(Mon, 16 Oct 2017 17:36:32 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>.
Your message had a Version: pseudo-header with an invalid package
version:
CVE-2017-1000256/LSN-2017-0002: TLS certificate verification disabled for clients
please either use found or fixed to the control server with a correct
version, or reply to this report indicating the correct version so the
maintainer (or someone else) can correct it for you.
(Mon, 16 Oct 2017 17:36:33 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libvirt
Version: CVE-2017-1000256/LSN-2017-0002: TLS certificate verification disabled for clients
Severity: important
Tags: security
Description
-----------
The default_tls_x509_verify (and related) parameters in qemu.conf
control whether the TLS servers in QEMU request & verify
certificates from clients. This works as a simple access control
system for QEMU servers by requiring the CA to issue certs to
permitted clients. This use of client certificates is disabled by
default, since it requires extra work to issue client certificates.
Unfortunately the libvirt code was using these configuration
parameters when setting up both TLS clients and servers in QEMU. The
result was that TLS clients for character devices and disk devices
had verification turned off, meaning they would ignore any errors
while validating the server certificate.
https://www.redhat.com/archives/libvirt-announce/2017-October/msg00001.html
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Marked as found in versions libvirt/2.3.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 16 Oct 2017 18:42:03 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 16 Oct 2017 18:42:05 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Guido Günther <agx@sigxcpu.org>
to control@bugs.debian.org.
(Mon, 16 Oct 2017 20:48:05 GMT) (full text, mbox, link).
Reply sent
to Guido Günther <agx@sigxcpu.org>:
You have taken responsibility.
(Tue, 17 Oct 2017 07:24:04 GMT) (full text, mbox, link).
Notification sent
to Guido Günther <agx@sigxcpu.org>:
Bug acknowledged by developer.
(Tue, 17 Oct 2017 07:24:04 GMT) (full text, mbox, link).
Message #16 received at 878799-close@bugs.debian.org (full text, mbox, reply):
Source: libvirt
Source-Version: 3.8.0-3
We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 878799@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvirt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 16 Oct 2017 19:36:25 +0200
Source: libvirt
Binary: libvirt-clients libvirt-daemon libvirt-daemon-driver-storage-gluster libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-sheepdog libvirt-daemon-driver-storage-zfs libvirt-daemon-system libvirt0 libvirt-doc libvirt-dev libvirt-sanlock libnss-libvirt libvirt-wireshark
Architecture: source
Version: 3.8.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Description:
libnss-libvirt - nss plugin providing IP add ress resolution for virtual machines
libvirt-clients - Programs for the libvirt library
libvirt-daemon - Virtualization daemon
libvirt-daemon-driver-storage-gluster - Virtualization daemon glusterfs storage driver
libvirt-daemon-driver-storage-rbd - Virtualization daemon RBD storage driver
libvirt-daemon-driver-storage-sheepdog - Virtualization daemon Sheedog storage driver
libvirt-daemon-driver-storage-zfs - Virtualization daemon ZFS storage driver
libvirt-daemon-system - Libvirt daemon configuration files
libvirt-dev - development files for the libvirt library
libvirt-doc - documentation for the libvirt library
libvirt-sanlock - Sanlock plugin for virtlockd
libvirt-wireshark - Wireshark dissector for the libvirt protocol
libvirt0 - library for interfacing with different virtualization systems
Closes: 878799
Changes:
libvirt (3.8.0-3) unstable; urgency=medium
.
* [e0e0a42] virt-host-validate: require fuse for LXC if compiled in.
This should make us skip the lxc test properly on debci.
* [d16ae50] Drop libvirt-bin upgrade handling
libvirt-bin was dropped before Jessie
* [3f18a26] CVE-2017-1000256: qemu: ensure TLS clients always verify the
server certificate (Closes: #878799)
Checksums-Sha1:
db9905db8b8cf7904d0e2a39b495e45c29952af3 4501 libvirt_3.8.0-3.dsc
e9f6d5e8b537eb354441a255011afeec0c283b67 69164 libvirt_3.8.0-3.debian.tar.xz
799df8daaccb2a95bba8e0e7ed2400f02f4a8e66 19908 libvirt_3.8.0-3_amd64.buildinfo
Checksums-Sha256:
87efabeb2661ce858e9e6cc96afeefbb1679f4333f0b4ea11561ae3b79ec0606 4501 libvirt_3.8.0-3.dsc
4af2cd869c81cb1b97acc5e52e0efda6a843a3655eff92b8d65b07fe10ac9e31 69164 libvirt_3.8.0-3.debian.tar.xz
9e79fb441125c3d1b3bccfa6aa4110c467357ff9113152a0f19434e58d7a15b7 19908 libvirt_3.8.0-3_amd64.buildinfo
Files:
3f0e16a62db1ba87f5f9c0961192c595 4501 libs optional libvirt_3.8.0-3.dsc
d5afd1058799342fcdb97976014c2e30 69164 libs optional libvirt_3.8.0-3.debian.tar.xz
4cd2e0c1946038cf2e40f975f23ab05a 19908 libs optional libvirt_3.8.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEvHzQcjh4660F3xzZB7i3sOqYEgsFAlnlGhQACgkQB7i3sOqY
EgtAFBAAp2KSxUBSs4PGbhDLnVEL2xzQ+i580moR2GaXLTjG7N+fC2Jkz4zGljPS
ocRI5TEaC27AH0xLDlZBxfPEdxLrC2mtDEnUUtp+FOWBpPE6/jGqp+iB/CzUNErs
sy0xIzfm6ivb1EXIzRoAOP4xRUvzVRTf5Npf+l2iJAE8x7RObtGNZiUR/P/AyVXc
WOFfJ886auU95nZcEWJQipyWbTuAN7Vo6x5kCUCQKqbyxUuFY0FVgey4zj7WRGXj
WNPQxMBkpnz6ksyIQciSGc0WJNeNLYhx7inurvdF34Ul62Y19CqNFqYtBLasc6Rd
hmNJgyvIWBHAcok8ZBGTdIpVJM1nkeArW+UgEVw5TrY+wUtYreg5Jvtof20pl8/j
eIg9JFmiMDxtralEsxrX7xghtaQRqmP2o3rQRG0nvYtmuw9rmy9z85zcB7jmErD5
ZdqFljdc5x47QkDqxvPLSVER/IDQvVrEf7F0KAh7prW7EUHYRBnLR7JRnICmqcMM
NWbkaqJ25DhqisJXe91KfaDNZQ1zJIHGj6EAMjMn3c1OE7qS77Edg4MF7ille9re
cAcU9vsHX0Her8wR+RQmasc53iYNAlcVu530Wz0bny2klbacDlgmvl9Btn6Tv4ht
/ZJ7P2VZQylgWBCIn0gu4I1VX+GEtm/tXX9S8Uu1xxKw4c1EoWI=
=3Mky
-----END PGP SIGNATURE-----
Reply sent
to Guido Günther <agx@sigxcpu.org>:
You have taken responsibility.
(Sun, 12 Nov 2017 15:36:07 GMT) (full text, mbox, link).
Notification sent
to Guido Günther <agx@sigxcpu.org>:
Bug acknowledged by developer.
(Sun, 12 Nov 2017 15:36:07 GMT) (full text, mbox, link).
Message #21 received at 878799-close@bugs.debian.org (full text, mbox, reply):
Source: libvirt
Source-Version: 3.0.0-4+deb9u1
We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 878799@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvirt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 16 Oct 2017 22:48:55 +0200
Source: libvirt
Binary: libvirt-clients libvirt-daemon libvirt-daemon-system libvirt0 libvirt-doc libvirt-dev libvirt-sanlock libnss-libvirt
Architecture: source
Version: 3.0.0-4+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Description:
libnss-libvirt - nss plugin providing IP add ress resolution for virtual machines
libvirt-clients - Programs for the libvirt library
libvirt-daemon - Virtualization daemon
libvirt-daemon-system - Libvirt daemon configuration files
libvirt-dev - development files for the libvirt library
libvirt-doc - documentation for the libvirt library
libvirt-sanlock - Sanlock plugin for virtlockd
libvirt0 - library for interfacing with different virtualization systems
Closes: 878799
Changes:
libvirt (3.0.0-4+deb9u1) stretch-security; urgency=high
.
* CVE-2017-1000256: qemu: ensure TLS clients always verify the server
certificate (Closes: #878799)
Checksums-Sha1:
ed1ece862466ce7487bda79395256c87ab32fc46 3954 libvirt_3.0.0-4+deb9u1.dsc
8a38fd5a0538a8ac05c8e4722bc4015c51237be0 13815736 libvirt_3.0.0.orig.tar.xz
12fe295c7264efd2bcd3d1d09c44653eb897c414 69152 libvirt_3.0.0-4+deb9u1.debian.tar.xz
75b989f4b80475cb2470212b1d07f0316948de51 16131 libvirt_3.0.0-4+deb9u1_amd64.buildinfo
Checksums-Sha256:
4f59ee2107ed9b3c82f00fb720e1702a6a3c50a098759e581929559ca240075c 3954 libvirt_3.0.0-4+deb9u1.dsc
9d9d26b70e13b1b2dfde5789ed52fc4528289a37e0f158418e9746263b37175e 13815736 libvirt_3.0.0.orig.tar.xz
62ceaa7a5df51fbd9ed12118e99703f69cca7899c9ca328166b4ada6ffe0ae66 69152 libvirt_3.0.0-4+deb9u1.debian.tar.xz
2a520e440b5bd07854d3f4fdcc7f4922a3f2c77ff9a26f2b41db3bb6f57db33c 16131 libvirt_3.0.0-4+deb9u1_amd64.buildinfo
Files:
3ba3e7785b5792a147998818b5c49011 3954 libs optional libvirt_3.0.0-4+deb9u1.dsc
7a24f2ef34e768b654cb689a985cc7aa 13815736 libs optional libvirt_3.0.0.orig.tar.xz
0c3d5a440079df5e15bbde75b0b45384 69152 libs optional libvirt_3.0.0-4+deb9u1.debian.tar.xz
0991ed5e8f96c42a059dcdd6d5c9f233 16131 libs optional libvirt_3.0.0-4+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEvHzQcjh4660F3xzZB7i3sOqYEgsFAlnoddsACgkQB7i3sOqY
EgsZsA/+JcD9+B3E6rsEhVSRaI9bNKyxsDVGXkTNx+k0laWmJjUeGX8LzBYkSYEN
qZSedtDO1opN+C95JsXXRq9Zh4tYMkupHy+nExVsRpPXTDEO5aRpsIVuaysP5wfR
lNQffF4g7CA11WH8EQTUPqK0ksPLQzniocSfPU1xC2CmxxNvtcni8820VMWE30nx
/raa9Kyl1tjrq9Zz9D8XFAOo/Pp20tsnq+7EXNff0t4WJLsoFOAr/s7xFnp6WeRd
6VYn5e1MHI54RQmc9pQVbZ2qUD01kO8e6OcRVgMw46xVNPBoZfG9P1RFZd4JDKWv
tYuq8/crgj9a9GnA0k++dalCpA+unCtjdPXr9aqK3NI5vrYL1doIV0ke6pfHcS1d
+/LClRAOKNeeAPsCkx4SIaUOlj0eJPt5Z/UKI4zjKL/2yKrv2f5Krvlt6v2Ds1kR
4avizQ2s1S6jdZEB6JMT+ci2xfBJeR4HMsLFAYYUg3T5VZlJ4lvbAoUwxTdmbeRS
ZTJ3Idvb3YykRlBzhWooD3jq+yYWOk2oA5qR8ktTKU5dLlQHEOPaOgqGlrqxKX7E
yrKwFpOVWlnba6cxEaIlMKMCPRQPwxyZI7Y3Qw0ghd1WY9Asy9pKWmL6tlPHuyRR
fPEO05WWqfCatvp30l2S479kurKb0XtHSA6ZrSWOVCy6mvvfHS4=
=7wD4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 11 Dec 2017 07:30:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:35:32 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon