-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : libvirt Version : 1.2.9-9+deb8u7 CVE IDs : CVE-2019-10161 CVE-2019-10167
Two vulnerabilities were discovered in libvirt, an abstraction API for different underlying virtualisation mechanisms provided by the kernel, etc. * CVE-2019-10161: Prevent an vulnerability where readonly clients could use the API to specify an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause a denial of service or otherwise cause libvirtd to execute arbitrary programs. * CVE-2019-10167: Prevent an arbitrary code execution vulnerability via the API where a user-specified binary used to probe the domain's capabilities. read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges. For Debian 8 "Jessie", these issues have been fixed in libvirt version 1.2.9-9+deb8u7. We recommend that you upgrade your libvirt packages. Regards, - -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl0RI8EACgkQHpU+J9Qx Hlg5NxAAl/BhcqB/Iuims+QuzwKMI/8KY75jXEEwTG5X7hQYyHgTQosYchRxV3ga qJz1oIEzzP3TeaQYRP3hNSNZtppfb1fAKXoHnDBWIt8eN5sLMD+UqRE3r5VwqTBT cepOdnjSB3bGvEaWavSJIDDi98++oXBBb9MS8ZD+I/HSooheGO8Q0qSQSnF2m0FC 1V4GBMlgroRyQXAXxK4OB+Dgp1KVhXEsZNSBUHGc/ctSayZyBay1Kle0UbRQukHP mjS4NkuCrU6f36V26Y/tcay4EDOB4RcS628gTSO2yy+k68OzjlzC2IVIUW39iUuF jZw4ceeH6u1R/SxOf8xYwR/oXaB+fa8yocvScTodOeN/hEIn2SkT9ewCP53lSkww pZu5WyOGAmHT0XbvHkbeI5ZHS1tS/p7QzX3FTC5gDWV2jHF3eMjDYHwHA3Zxh4x9 PjiSOp1SDgLRSjKOWUojOGJLswoLzGjU3ighNrZzPHKqUDMs9xQtMIiJAxwWBcNO jRjLZLAfePtr+f/KbSTD3eJ6Xc/6s6ioLbhsOJWxaGfkyvovcS2owmkSjDqoCLiq nFTJtAvCSltg4yMleKhwNmIoUuV+VIliYCST46Iic6SBziSEjfjn9Htf+81smKEp Xhtufm6KHLqfJi7iiLgnY+jgoG+VnhcYsY59hxh6fsjEpn/+L8s= =2mv1 -----END PGP SIGNATURE-----