Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2012-2693

Related Vulnerabilities: CVE-2012-2693  

Source

Debian Bug report logs - #677496
CVE-2012-2693

version graph

Package: libvirt; Maintainer for libvirt is Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Thu, 14 Jun 2012 10:27:56 UTC

Severity: important

Tags: security

Fixed in version libvirt/0.9.12-2

Done: Guido Günther <agx@sigxcpu.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>:
Bug#677496; Package libvirt. (Thu, 14 Jun 2012 10:27:59 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>. (Thu, 14 Jun 2012 10:28:33 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2012-2693
Date: Thu, 14 Jun 2012 12:23:06 +0200
Package: libvirt
Severity: important
Tags: security

This is already fixed in experimental, but I'm not sure if 0.9.12 is targeted
at Wheezy, so I'm filing a bug.

There's a security issue in libvirt concerning USB handling, it was fixed by
the patches listed in this Red Hat bug:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2693

The impact seems minor to me, so I don't think we need a DSA for Squeeze.

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>:
Bug#677496; Package libvirt. (Thu, 14 Jun 2012 18:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>. (Thu, 14 Jun 2012 18:21:03 GMT) (full text, mbox, link).

Message #10 received at 677496@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 677496@bugs.debian.org
Subject: Re: [Pkg-libvirt-maintainers] Bug#677496: CVE-2012-2693
Date: Thu, 14 Jun 2012 20:17:25 +0200
On Thu, Jun 14, 2012 at 12:23:06PM +0200, Moritz Muehlenhoff wrote:
> Package: libvirt
> Severity: important
> Tags: security
> 
> This is already fixed in experimental, but I'm not sure if 0.9.12 is targeted
> at Wheezy, so I'm filing a bug.

0.9.13 is targeted for wheezy (to be released in June) however I've
uploded 0.9.12 to fix this bug.

> There's a security issue in libvirt concerning USB handling, it was fixed by
> the patches listed in this Red Hat bug:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2693
> 
> The impact seems minor to me, so I don't think we need a DSA for Squeeze.

O.k. - in case this should become necessary just let me know. I'll try
to get a backport uploaded once we made the transition.
Cheers,
 -- Guido

Reply sent to Guido Günther <agx@sigxcpu.org>:
You have taken responsibility. (Thu, 14 Jun 2012 18:21:10 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Thu, 14 Jun 2012 18:21:10 GMT) (full text, mbox, link).

Message #15 received at 677496-close@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>
To: 677496-close@bugs.debian.org
Subject: Bug#677496: fixed in libvirt 0.9.12-2
Date: Thu, 14 Jun 2012 18:17:57 +0000
Source: libvirt
Source-Version: 0.9.12-2

We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive:

libvirt-bin_0.9.12-2_i386.deb
  to main/libv/libvirt/libvirt-bin_0.9.12-2_i386.deb
libvirt-dev_0.9.12-2_i386.deb
  to main/libv/libvirt/libvirt-dev_0.9.12-2_i386.deb
libvirt-doc_0.9.12-2_all.deb
  to main/libv/libvirt/libvirt-doc_0.9.12-2_all.deb
libvirt0-dbg_0.9.12-2_i386.deb
  to main/libv/libvirt/libvirt0-dbg_0.9.12-2_i386.deb
libvirt0_0.9.12-2_i386.deb
  to main/libv/libvirt/libvirt0_0.9.12-2_i386.deb
libvirt_0.9.12-2.debian.tar.gz
  to main/libv/libvirt/libvirt_0.9.12-2.debian.tar.gz
libvirt_0.9.12-2.dsc
  to main/libv/libvirt/libvirt_0.9.12-2.dsc
python-libvirt_0.9.12-2_i386.deb
  to main/libv/libvirt/python-libvirt_0.9.12-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 677496@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvirt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 14 Jun 2012 19:37:42 +0200
Source: libvirt
Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev python-libvirt
Architecture: source all i386
Version: 0.9.12-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Description: 
 libvirt-bin - programs for the libvirt library
 libvirt-dev - development files for the libvirt library
 libvirt-doc - documentation for the libvirt library
 libvirt0   - library for interfacing with different virtualization systems
 libvirt0-dbg - library for interfacing with different virtualization systems
 python-libvirt - libvirt Python bindings
Closes: 663931 676328 677496
Changes: 
 libvirt (0.9.12-2) unstable; urgency=medium
 .
   * Upload to unstable to fix CVE-2012-2693. Bumping urgency to medium.
     (Closes: #677496)
   * [9515e28] Only check for cluster fs if we're using a filesystem
     (Closes: #676328)
   * [202939f] Reduce udevadm settle timeout to 10 seconds
     (Closes: #663931)
Checksums-Sha1: 
 00ba16d1a0f1c4b970d32e6ccccede91b2d815d6 2276 libvirt_0.9.12-2.dsc
 48be314b559c31cd4763c21b784bf4e48eca17d3 35441 libvirt_0.9.12-2.debian.tar.gz
 ef1b53f22f009a7d6f6a459e97a7f790db77efa6 2173380 libvirt-doc_0.9.12-2_all.deb
 4f554b618f18cf33c271e2fc079174cc3da4f818 2333008 libvirt-bin_0.9.12-2_i386.deb
 43980f513fc4f635ed5d9ea2af518b7db0692420 2121902 libvirt0_0.9.12-2_i386.deb
 e7d8a2446def01d0eecc96ba013df9d04d63dbdc 7472256 libvirt0-dbg_0.9.12-2_i386.deb
 380a2455ca818b883aea3dca694a66979c7a9b61 2502586 libvirt-dev_0.9.12-2_i386.deb
 15d59fcd07b142b9d7790bbc289aeed541989812 1420246 python-libvirt_0.9.12-2_i386.deb
Checksums-Sha256: 
 b249482fc0444784a971f6effb735ac6686430ce0aab1aeeb140a893b12350ea 2276 libvirt_0.9.12-2.dsc
 4b1ca4bde14cca16c1f7deeb3b37ed6cdc8f91d23c04b8c3310b4037eb792897 35441 libvirt_0.9.12-2.debian.tar.gz
 f3548760ad7caad0d4bb22da0a3dfbf4ff20fda14f039d253f2ea407642ac6b6 2173380 libvirt-doc_0.9.12-2_all.deb
 6f1a28a01605be3f8cae2521f0ac8cdf56340d3a88ca8bc517188013f45a3431 2333008 libvirt-bin_0.9.12-2_i386.deb
 c3b90552d0ead56996640f2a05171eee5501113c7b883439d4cf0ee3128cae8b 2121902 libvirt0_0.9.12-2_i386.deb
 a4e94902b478b297ae845edc906d6535bd54457cd41b3fdb19b4169e773e4099 7472256 libvirt0-dbg_0.9.12-2_i386.deb
 89c1341462ef71e7dadf5dfe236b1d0a8b3281c7be20b2e1ae1bfa1d9d0bb5b1 2502586 libvirt-dev_0.9.12-2_i386.deb
 ab5afb31dfcf57b6592bddaafee7d09ede37087255a6c5aea082e0348daaed63 1420246 python-libvirt_0.9.12-2_i386.deb
Files: 
 ad237415627145635281cc6209aee2d7 2276 libs optional libvirt_0.9.12-2.dsc
 6225b697cf84c1620cf92e25ede7a3d1 35441 libs optional libvirt_0.9.12-2.debian.tar.gz
 748f1948a9f5f52801555ddbc11d7f85 2173380 doc optional libvirt-doc_0.9.12-2_all.deb
 8ad22d3b0858e598ad717946c8aa6e3e 2333008 admin optional libvirt-bin_0.9.12-2_i386.deb
 4cdac9cdd72e797284e2228fdbcce84c 2121902 libs optional libvirt0_0.9.12-2_i386.deb
 cf126b2cf0cd89a30c4b5d33f233281e 7472256 debug extra libvirt0-dbg_0.9.12-2_i386.deb
 19d15d7c53b556d8d92a6a2259085d85 2502586 libdevel optional libvirt-dev_0.9.12-2_i386.deb
 09c682c7311b3aa6604a1990808f55f2 1420246 python optional python-libvirt_0.9.12-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFP2ijin88szT8+ZCYRAtiKAJ4p6CSZRW4pd0SLgZJGUYEQs/q/+wCbBhBT
SjRtq4LoKtZB/3mC2mZQTn8=
=YeVA
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 23 Jul 2012 07:40:06 GMT) (full text, mbox, link).

Bug unarchived. Request was from jmw@debian.org to control@bugs.debian.org. (Thu, 17 Jan 2013 12:36:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>:
Bug#677496; Package libvirt. (Fri, 18 Jan 2013 13:06:05 GMT) (full text, mbox, link).

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>. (Fri, 18 Jan 2013 13:06:05 GMT) (full text, mbox, link).

Message #24 received at 677496@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>
To: 677496@bugs.debian.org
Subject: Re: CVE-2012-2693
Date: Fri, 18 Jan 2013 12:15:06 -0000
Package: libvirt

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.7) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/677496/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 09 Mar 2013 07:33:21 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:02:36 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started