control: -1 found 0.9.12.3-1+deb7u2 Hi Salvatore, On Fri, Jan 19, 2018 at 09:00:03AM +0100, Salvatore Bonaccorso wrote: > Source: libvirt > Version: 1.2.9-9 > Severity: important > Tags: security upstream > > Hi, > > the following vulnerability was published for libvirt. > > CVE-2018-5748[0]: > resource exhaustion via qemuMonitorIORead() method > > Further reference in the Red Hat bug [1]. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2018-5748 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5748 > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1528396 > > Please adjust the affected versions in the BTS as needed, please > double-check.
Thanks! I wanted to update libvirt in stretch anyway so I'll add it there. Any reason why you picked 1.2.9-9? AFAIK none of the versions had resource limits on monitor reads - or did I overlook something? Cheers, -- Guido
