Pronađena su i otklonjena dva sigurnosna propusta paketa libvirt koji su napadaču omogućavali uskraćivanje usluge ili postavljanje nepravilnih pravila za pristup sustavu.
Paket:
libvirt 0.x
Operacijski sustavi:
Fedora 16
Kritičnost:
3
Problem:
pogreška u programskoj funkciji
Iskorištavanje:
udaljeno
Posljedica:
neovlašteni pristup sustavu, uskraćivanje usluga (DoS)
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-4600, CVE-2012-3445
Izvorni ID preporuke:
FEDORA-2012-11843
Izvor:
Fedora
Problem:
Problemi nastaju zbog nepravilne funkcije virTypedParameterArrayClear koja pogrešno rukuje s virDomain* API pozivima te zbog nenamjernog postavljanja pravila za pristup sustavu prilikom ponovnog pokretanje paketa.
Posljedica:
Napadač je mogao iskoristiti propuste kako bi ili neovlašteno pristupio sustavu ili izazvali stvaranje DoS stanja.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-11843
2012-08-14 09:02:38
--------------------------------------------------------------------------------
Name : libvirt
Product : Fedora 16
Version : 0.9.6.2
Release : 1.fc16
URL : http://libvirt.org/
Summary : Library providing a simple virtualization API
Description :
Libvirt is a C toolkit to interact with the virtualization capabilities
of recent versions of Linux (and other OSes). The main package includes
the libvirtd server exporting the virtualization support.
--------------------------------------------------------------------------------
Update Information:
* Rebased to version 0.9.6.2
* Fix crash in virTypedParameterArrayClear (bz 844745, bz 844734)
--------------------------------------------------------------------------------
ChangeLog:
* Mon Aug 13 2012 Cole Robinson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 0.9.6.2-1
- Rebased to version 0.9.6.2
- Fix crash in virTypedParameterArrayClear (bz 844745, bz 844734)
* Fri Jun 15 2012 Cole Robinson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 0.9.6.1-1
- Rebased to version 0.9.6.1
- Emit spice graphics events (bz 784813)
- Add usbredir spice channel (bz 821469)
- Add default spice channel (bz 821474)
- Various stream fixes and improvements (bz 743900)
- Fix state syncing when xen domain shuts down (bz 746007)
- Don't show <console> for xen dom0 (bz 752271)
- Fix selinux denial on /usr/libexec/pt_chown from LXC (bz 785411)
- Don't flood LXC log file (bz 785431)
- Fix several double close bugs (bz 827127)
- Fix PCI assignment for USB2.0 controllers (bz 822160)
* Fri Mar 30 2012 Osier Yang <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 0.9.6-6
- fix typo in chkconfig commandline for specfile - Bug 786890
* Sun Mar 4 2012 Cole Robinson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 0.9.6-5
- Fix crash when migrating many guests with vdsm (bz 785789)
- Fix libvirtd hang in vmware guest (bz 796451)
- Don't start HAL in init script (bz 789234)
- Fix storage lookup errors with empty lvm pool (bz 782261)
- Fix test failures with new gnutls
* Mon Dec 19 2011 Laine Stump <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 0.9.6-4
- replace "fedora-13" machine type with "pc-0.14" to prepare
systems for removal of "fedora-13" from qemu - Bug 754772
- don't add iptables rules for externally managed networks
- Buf 765964 / CVE-2011-4600
- specfile changes
- Bug 761329 don't use chkconfig --list
- Bug 758896 mark directories in /var/run as ghosts
- Bug 738725 fix logic bug in deciding to turn on cgconfig
- Bug 754909 add dmidecode as a prerequisite
- new async-safe time API + make logging async signal sage wrt.
time stamp generation - Bug 757382 (this required
enabling autoconf during the build)
* Tue Oct 11 2011 Dan HorÄ
Posljednje sigurnosne preporuke