libvirt: CVE-2019-10132: Insecure permissions for systemd socket for virtlockd/virtlogd

Debian Bug report logs - #929334
libvirt: CVE-2019-10132: Insecure permissions for systemd socket for virtlockd/virtlogd

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libvirt: CVE-2019-10132: Insecure permissions for systemd socket for virtlockd/virtlogd

Date: Tue, 21 May 2019 21:53:47 +0200

Source: libvirt
Version: 5.0.0-2
Severity: grave
Tags: security upstream
Control: found -1 5.0.0-2.1
Control: found -1 5.2.0-2

Hi,

The following vulnerability was published for libvirt.

CVE-2019-10132[0]:
Insecure permissions for systemd socket for virtlockd/virtlogd

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10132
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10132
[1] https://security.libvirt.org/2019/0003.html

Please adjust the affected versions in the BTS as needed, looks like
the issue is introduced upstream in v4.1.0-rc1 though.

Regards,
Salvatore

Message #12 received at 929334-submitter@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <noreply@salsa.debian.org>

To: 929334-submitter@bugs.debian.org

Subject: Bug#929334 marked as pending in libvirt

Date: Wed, 22 May 2019 11:05:23 +0000

Control: tag -1 pending

Hello,

Bug #929334 in libvirt reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/libvirt-team/libvirt/commit/6bc6e60d903933fe231d834d9d9296b4258c0981

------------------------------------------------------------------------
CVE-2019-10132: Fix vir{lock,log}d socket access

All patches were cherry-picked from upstream's v5.0-maint branch.

Closes: #929334
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/929334

Message #19 received at 929334-close@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: 929334-close@bugs.debian.org

Subject: Bug#929334: fixed in libvirt 5.0.0-3

Date: Wed, 22 May 2019 11:34:44 +0000

Source: libvirt
Source-Version: 5.0.0-3

We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 929334@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvirt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 22 May 2019 12:31:08 +0200
Source: libvirt
Architecture: source
Version: 5.0.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Closes: 897394 926999 927310 929334
Changes:
 libvirt (5.0.0-3) unstable; urgency=medium
 .
   [ Guido Günther ]
   * [6bc6e60] CVE-2019-10132: Fix vir{lock,log}d socket access.
     All patches were cherry-picked from upstream's v5.0-maint branch.
     (Closes: #929334)
   * [09016dd] d/patches: Move security fixes into security/
 .
   [ Joachim Falk ]
   * [5d96699] lxc: Fix killing of lxc containers if cgroup backend v2 is
     unavailable.
     (Closes: #926999)
   * [ea7a491] lxc: Fix container shutdown and host reboot
     (Closes: #927310, #897394)
Checksums-Sha1:
 47b830f4255c0ad5bbb52fe77392569f73970423 4353 libvirt_5.0.0-3.dsc
 ee72696860a2ceec1ce07247e0bef503ee4825c1 76996 libvirt_5.0.0-3.debian.tar.xz
 9d6e5a04213d249e66f593df63fd4c470b2e009e 19472 libvirt_5.0.0-3_amd64.buildinfo
Checksums-Sha256:
 258b58ec682c741d364e9e70004dcebb0609fb8e9dd748ff0317856af011d331 4353 libvirt_5.0.0-3.dsc
 66ba224b7168fa44b382d9a158515cf34596ab072f3ef53d6f7083d90044e1cb 76996 libvirt_5.0.0-3.debian.tar.xz
 7d2a4222f31bdb03342cadf1523d1a47cf04c023b10932cba77c296f625c0d08 19472 libvirt_5.0.0-3_amd64.buildinfo
Files:
 dde11a7557b74fc06dab5aa627027918 4353 libs optional libvirt_5.0.0-3.dsc
 b426861e183f010e1499ec2bf574932e 76996 libs optional libvirt_5.0.0-3.debian.tar.xz
 cfd0537811f61479d7c29e7182612d8e 19472 libs optional libvirt_5.0.0-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEvHzQcjh4660F3xzZB7i3sOqYEgsFAlzlLMIACgkQB7i3sOqY
EgvJlA//WiOQZfZG6SAi3c+5rO4UQ8l2nI7p4nQNE0DFmnWU6whRa+2j2qZaKfkM
Qo2fWiy6dOT/5+ci4rxDBcEHvqhQEOhk7KbBQOxI9yftQ+mzlMKt9/0xWoxM7CSB
j9/IagUnErZqZvdzFpOzIC1dAWuWPasbDwN7X2MJgILidpy5sADeRjOI5/BS5zl9
WwKkRmFCcshmwYYppu5sjSLLQYroA2vlW2odlWBKBwaKNscYmSy+GoRPReOL68sp
GlIr9nTN/htbd9tWjrEvXCIE2tfVXNIsarIxKcs514uhHzadixWN1HOIsaWpyDSq
HWtasfG/9oKdYEuntZtm7tmAbxhI2zQMFMKifj8s9Z/Yml1CljDbItEwunhS+g+9
dxlcglsNCOykDT+yWFNBP0UmkT/5UIc8MVNM0/H+jnUyQDVkeOhTimH0mB48ODjY
sufAQ8r1H8I9OS92Tjo2G/CrpCWJv3+LDex94qruiZ9ys0lHfri0TEmZP5TnP4ZN
qd0r9l+pOCLr6NemwwnUNUpGBi5mcVtWjgZ0vJz/Oq8UHJAi+Rh42yM73XxK4CdE
LcS9cr7aSgmqM+Q5sNGzGIB9Lk4T8YUYBKTevxojZJFe/4NNgaZzxKfl7BtJYKk2
8c6r1/XzG3+xn2gJY1u7fESwZSlgIJTIanK7GgFdLL87mDlSHNo=
=svda
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.