Debian Bug report logs -
#677496
CVE-2012-2693
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Thu, 14 Jun 2012 10:27:56 UTC
Severity: important
Tags: security
Fixed in version libvirt/0.9.12-2
Done: Guido Günther <agx@sigxcpu.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
:
Bug#677496
; Package libvirt
.
(Thu, 14 Jun 2012 10:27:59 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
.
(Thu, 14 Jun 2012 10:28:33 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libvirt
Severity: important
Tags: security
This is already fixed in experimental, but I'm not sure if 0.9.12 is targeted
at Wheezy, so I'm filing a bug.
There's a security issue in libvirt concerning USB handling, it was fixed by
the patches listed in this Red Hat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2693
The impact seems minor to me, so I don't think we need a DSA for Squeeze.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
:
Bug#677496
; Package libvirt
.
(Thu, 14 Jun 2012 18:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>
:
Extra info received and forwarded to list. Copy sent to Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
.
(Thu, 14 Jun 2012 18:21:03 GMT) (full text, mbox, link).
Message #10 received at 677496@bugs.debian.org (full text, mbox, reply):
On Thu, Jun 14, 2012 at 12:23:06PM +0200, Moritz Muehlenhoff wrote:
> Package: libvirt
> Severity: important
> Tags: security
>
> This is already fixed in experimental, but I'm not sure if 0.9.12 is targeted
> at Wheezy, so I'm filing a bug.
0.9.13 is targeted for wheezy (to be released in June) however I've
uploded 0.9.12 to fix this bug.
> There's a security issue in libvirt concerning USB handling, it was fixed by
> the patches listed in this Red Hat bug:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2693
>
> The impact seems minor to me, so I don't think we need a DSA for Squeeze.
O.k. - in case this should become necessary just let me know. I'll try
to get a backport uploaded once we made the transition.
Cheers,
-- Guido
Reply sent
to Guido Günther <agx@sigxcpu.org>
:
You have taken responsibility.
(Thu, 14 Jun 2012 18:21:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
Bug acknowledged by developer.
(Thu, 14 Jun 2012 18:21:10 GMT) (full text, mbox, link).
Message #15 received at 677496-close@bugs.debian.org (full text, mbox, reply):
Source: libvirt
Source-Version: 0.9.12-2
We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive:
libvirt-bin_0.9.12-2_i386.deb
to main/libv/libvirt/libvirt-bin_0.9.12-2_i386.deb
libvirt-dev_0.9.12-2_i386.deb
to main/libv/libvirt/libvirt-dev_0.9.12-2_i386.deb
libvirt-doc_0.9.12-2_all.deb
to main/libv/libvirt/libvirt-doc_0.9.12-2_all.deb
libvirt0-dbg_0.9.12-2_i386.deb
to main/libv/libvirt/libvirt0-dbg_0.9.12-2_i386.deb
libvirt0_0.9.12-2_i386.deb
to main/libv/libvirt/libvirt0_0.9.12-2_i386.deb
libvirt_0.9.12-2.debian.tar.gz
to main/libv/libvirt/libvirt_0.9.12-2.debian.tar.gz
libvirt_0.9.12-2.dsc
to main/libv/libvirt/libvirt_0.9.12-2.dsc
python-libvirt_0.9.12-2_i386.deb
to main/libv/libvirt/python-libvirt_0.9.12-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 677496@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvirt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 14 Jun 2012 19:37:42 +0200
Source: libvirt
Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev python-libvirt
Architecture: source all i386
Version: 0.9.12-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Description:
libvirt-bin - programs for the libvirt library
libvirt-dev - development files for the libvirt library
libvirt-doc - documentation for the libvirt library
libvirt0 - library for interfacing with different virtualization systems
libvirt0-dbg - library for interfacing with different virtualization systems
python-libvirt - libvirt Python bindings
Closes: 663931 676328 677496
Changes:
libvirt (0.9.12-2) unstable; urgency=medium
.
* Upload to unstable to fix CVE-2012-2693. Bumping urgency to medium.
(Closes: #677496)
* [9515e28] Only check for cluster fs if we're using a filesystem
(Closes: #676328)
* [202939f] Reduce udevadm settle timeout to 10 seconds
(Closes: #663931)
Checksums-Sha1:
00ba16d1a0f1c4b970d32e6ccccede91b2d815d6 2276 libvirt_0.9.12-2.dsc
48be314b559c31cd4763c21b784bf4e48eca17d3 35441 libvirt_0.9.12-2.debian.tar.gz
ef1b53f22f009a7d6f6a459e97a7f790db77efa6 2173380 libvirt-doc_0.9.12-2_all.deb
4f554b618f18cf33c271e2fc079174cc3da4f818 2333008 libvirt-bin_0.9.12-2_i386.deb
43980f513fc4f635ed5d9ea2af518b7db0692420 2121902 libvirt0_0.9.12-2_i386.deb
e7d8a2446def01d0eecc96ba013df9d04d63dbdc 7472256 libvirt0-dbg_0.9.12-2_i386.deb
380a2455ca818b883aea3dca694a66979c7a9b61 2502586 libvirt-dev_0.9.12-2_i386.deb
15d59fcd07b142b9d7790bbc289aeed541989812 1420246 python-libvirt_0.9.12-2_i386.deb
Checksums-Sha256:
b249482fc0444784a971f6effb735ac6686430ce0aab1aeeb140a893b12350ea 2276 libvirt_0.9.12-2.dsc
4b1ca4bde14cca16c1f7deeb3b37ed6cdc8f91d23c04b8c3310b4037eb792897 35441 libvirt_0.9.12-2.debian.tar.gz
f3548760ad7caad0d4bb22da0a3dfbf4ff20fda14f039d253f2ea407642ac6b6 2173380 libvirt-doc_0.9.12-2_all.deb
6f1a28a01605be3f8cae2521f0ac8cdf56340d3a88ca8bc517188013f45a3431 2333008 libvirt-bin_0.9.12-2_i386.deb
c3b90552d0ead56996640f2a05171eee5501113c7b883439d4cf0ee3128cae8b 2121902 libvirt0_0.9.12-2_i386.deb
a4e94902b478b297ae845edc906d6535bd54457cd41b3fdb19b4169e773e4099 7472256 libvirt0-dbg_0.9.12-2_i386.deb
89c1341462ef71e7dadf5dfe236b1d0a8b3281c7be20b2e1ae1bfa1d9d0bb5b1 2502586 libvirt-dev_0.9.12-2_i386.deb
ab5afb31dfcf57b6592bddaafee7d09ede37087255a6c5aea082e0348daaed63 1420246 python-libvirt_0.9.12-2_i386.deb
Files:
ad237415627145635281cc6209aee2d7 2276 libs optional libvirt_0.9.12-2.dsc
6225b697cf84c1620cf92e25ede7a3d1 35441 libs optional libvirt_0.9.12-2.debian.tar.gz
748f1948a9f5f52801555ddbc11d7f85 2173380 doc optional libvirt-doc_0.9.12-2_all.deb
8ad22d3b0858e598ad717946c8aa6e3e 2333008 admin optional libvirt-bin_0.9.12-2_i386.deb
4cdac9cdd72e797284e2228fdbcce84c 2121902 libs optional libvirt0_0.9.12-2_i386.deb
cf126b2cf0cd89a30c4b5d33f233281e 7472256 debug extra libvirt0-dbg_0.9.12-2_i386.deb
19d15d7c53b556d8d92a6a2259085d85 2502586 libdevel optional libvirt-dev_0.9.12-2_i386.deb
09c682c7311b3aa6604a1990808f55f2 1420246 python optional python-libvirt_0.9.12-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFP2ijin88szT8+ZCYRAtiKAJ4p6CSZRW4pd0SLgZJGUYEQs/q/+wCbBhBT
SjRtq4LoKtZB/3mC2mZQTn8=
=YeVA
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 23 Jul 2012 07:40:06 GMT) (full text, mbox, link).
Bug unarchived.
Request was from jmw@debian.org
to control@bugs.debian.org
.
(Thu, 17 Jan 2013 12:36:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
:
Bug#677496
; Package libvirt
.
(Fri, 18 Jan 2013 13:06:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
.
(Fri, 18 Jan 2013 13:06:05 GMT) (full text, mbox, link).
Message #24 received at 677496@bugs.debian.org (full text, mbox, reply):
Package: libvirt
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.7) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/677496/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 09 Mar 2013 07:33:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:02:36 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.