Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
centosCentOS ProjectCESA-2014:1352
HistoryOct 03, 2014 - 6:13 p.m.

libvirt security update

2014-10-0318:13:17
CentOS Project
lists.centos.org
43

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

0.042 Low

EPSS

Percentile

92.2%

JSON

CentOS Errata and Security Advisory CESA-2014:1352

The libvirt library is a C API for managing and interacting with the
virtualization capabilities of Linux and other operating systems.
In addition, libvirt provides tools for remote management of
virtualized systems.

An out-of-bounds read flaw was found in the way libvirt’s
qemuDomainGetBlockIoTune() function looked up the disk index in a
non-persistent (live) disk configuration while a persistent disk
configuration was being indexed. A remote attacker able to establish a
read-only connection to libvirtd could use this flaw to crash libvirtd or,
potentially, leak memory from the libvirtd process. (CVE-2014-3633)

A denial of service flaw was found in the way libvirt’s
virConnectListAllDomains() function computed the number of used domains.
A remote attacker able to establish a read-only connection to libvirtd
could use this flaw to make any domain operations within libvirt
unresponsive. (CVE-2014-3657)

The CVE-2014-3633 issue was discovered by Luyao Huang of Red Hat.

This update also fixes the following bug:

  • Prior to this update, libvirt was setting the cpuset.mems parameter for
    domains with numatune/memory[nodeset] prior to starting them. As a
    consequence, domains with such a nodeset, which excluded the NUMA node with
    DMA and DMA32 zones (found in /proc/zoneinfo), could not be started due to
    failed KVM initialization. With this update, libvirt sets the cpuset.mems
    parameter after the initialization, and domains with any nodeset (in
    /numatune/memory) can be started without an error. (BZ#1135871)

All libvirt users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, libvirtd will be restarted automatically.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2014-October/082830.html

Affected packages:
libvirt
libvirt-client
libvirt-daemon
libvirt-daemon-config-network
libvirt-daemon-config-nwfilter
libvirt-daemon-driver-interface
libvirt-daemon-driver-lxc
libvirt-daemon-driver-network
libvirt-daemon-driver-nodedev
libvirt-daemon-driver-nwfilter
libvirt-daemon-driver-qemu
libvirt-daemon-driver-secret
libvirt-daemon-driver-storage
libvirt-daemon-kvm
libvirt-daemon-lxc
libvirt-devel
libvirt-docs
libvirt-lock-sanlock
libvirt-login-shell
libvirt-python

Upstream details at:
https://access.redhat.com/errata/RHSA-2014:1352

OSVersionArchitecturePackageVersionFilename
CentOS7x86_64libvirt< 1.1.1-29.el7_0.3libvirt-1.1.1-29.el7_0.3.x86_64.rpm
CentOS7i686libvirt-client< 1.1.1-29.el7_0.3libvirt-client-1.1.1-29.el7_0.3.i686.rpm
CentOS7x86_64libvirt-client< 1.1.1-29.el7_0.3libvirt-client-1.1.1-29.el7_0.3.x86_64.rpm
CentOS7x86_64libvirt-daemon< 1.1.1-29.el7_0.3libvirt-daemon-1.1.1-29.el7_0.3.x86_64.rpm
CentOS7x86_64libvirt-daemon-config-network< 1.1.1-29.el7_0.3libvirt-daemon-config-network-1.1.1-29.el7_0.3.x86_64.rpm
CentOS7x86_64libvirt-daemon-config-nwfilter< 1.1.1-29.el7_0.3libvirt-daemon-config-nwfilter-1.1.1-29.el7_0.3.x86_64.rpm
CentOS7x86_64libvirt-daemon-driver-interface< 1.1.1-29.el7_0.3libvirt-daemon-driver-interface-1.1.1-29.el7_0.3.x86_64.rpm
CentOS7x86_64libvirt-daemon-driver-lxc< 1.1.1-29.el7_0.3libvirt-daemon-driver-lxc-1.1.1-29.el7_0.3.x86_64.rpm
CentOS7x86_64libvirt-daemon-driver-network< 1.1.1-29.el7_0.3libvirt-daemon-driver-network-1.1.1-29.el7_0.3.x86_64.rpm
CentOS7x86_64libvirt-daemon-driver-nodedev< 1.1.1-29.el7_0.3libvirt-daemon-driver-nodedev-1.1.1-29.el7_0.3.x86_64.rpm
Rows per page:
1-10 of 221

Related

redhat 2
openvas 16
securityvulns 5
nessus 18
altlinux 1
oraclelinux 3
mageia 1
centos 1
ubuntucve 2
cve 2
prion 2
veracode 3
debiancve 2
archlinux 1
debian 2
osv 16
ubuntu 2
fedora 2
f5 2
gentoo 1
redhat
redhat
(RHSA-2014:1352) Moderate: libvirt security and bug fix update
2014-10-01 00:00:00
(RHSA-2014:1873) Moderate: libvirt security and bug fix update
2014-11-18 00:00:00
openvas
openvas
RedHat Update for libvirt RHSA-2014:1352-01
2014-10-02 00:00:00
CentOS Update for libvirt CESA-2014:1352 centos7
2014-10-04 00:00:00
Oracle: Security Advisory (ELSA-2014-1352)
2015-10-06 00:00:00
securityvulns
securityvulns
[ MDVSA-2014:195 ] libvirt
2014-10-05 00:00:00
libvirt security vulnerabilities
2014-10-05 00:00:00
libvirt information leakage
2014-11-24 00:00:00
nessus
nessus
Mandriva Linux Security Advisory : libvirt (MDVSA-2014:195)
2014-10-06 00:00:00
RHEL 7 : libvirt (RHSA-2014:1352)
2014-10-02 00:00:00
openSUSE Security Update : libvirt (openSUSE-SU-2014:1290-1)
2014-10-15 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 8 package libvirt version 1.2.9-alt1
2014-10-03 00:00:00
oraclelinux
oraclelinux
libvirt security and bug fix update
2014-10-01 00:00:00
libvirt security and bug fix update
2014-11-18 00:00:00
libvirt security, bug fix, and enhancement update
2015-03-11 00:00:00
mageia
mageia
Updated libvirt packages fix security vulnerbilities
2014-10-07 13:22:51
centos
centos
libvirt security update
2014-11-18 18:46:17
ubuntucve
ubuntucve
CVE-2014-3633
2014-09-19 00:00:00
CVE-2014-3657
2014-10-06 00:00:00
cve
cve
CVE-2014-3633
2014-10-06 14:55:00
CVE-2014-3657
2014-10-06 14:55:00
prion
prion
Out-of-bounds
2014-10-06 14:55:00
Command injection
2014-10-06 14:55:00
veracode
veracode
Out-Of-Bounds Read
2018-08-13 08:43:30
Out-Of-Bounds Read
2019-01-15 09:03:12
Denial Of Service (DoS)
2018-08-13 07:58:48
debiancve
debiancve
CVE-2014-3633
2014-10-06 14:55:00
CVE-2014-3657
2014-10-06 14:55:00
archlinux
archlinux
libvirt: out-of-bounds read access
2014-09-29 00:00:00
debian
debian
[SECURITY] [DSA 3038-1] libvirt security update
2014-09-27 15:52:33
[SECURITY] [DSA 3038-1] libvirt security update
2014-09-27 15:52:51
osv
osv
libvirt - security update
2014-09-27 00:00:00
CVE-2020-25637
2020-10-06 14:15:12
CVE-2019-3840
2019-03-27 13:29:01
ubuntu
ubuntu
libvirt vulnerabilities
2014-11-11 00:00:00
libvirt vulnerabilities
2014-09-30 00:00:00
fedora
fedora
[SECURITY] Fedora 20 Update: libvirt-1.1.3.8-1.fc20
2014-11-22 12:37:22
[SECURITY] Fedora 20 Update: libvirt-1.1.3.9-1.fc20
2015-02-17 08:10:35
f5
f5
SOL16117 - Multiple libvirt vulnerabilities
2015-02-12 00:00:00
K16117 : Multiple libvirt vulnerabilities
2015-02-12 00:00:00
gentoo
gentoo
libvirt: Multiple vulnerabilities
2014-12-08 00:00:00

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

0.042 Low

EPSS

Percentile

92.2%

JSON
Related for CESA-2014:1352
redhat2openvas16securityvulns5nessus18altlinux1oraclelinux3mageia1centos1ubuntucve2cve2prion2veracode3debiancve2archlinux1debian2osv16ubuntu2fedora2f52gentoo1