25 June 2019
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2275 Multiple vulnerabilities in libvirt affect Debian 25 June 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libvirt Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-10167 CVE-2019-10161 Reference: ESB-2019.2243 ESB-2019.2239 ESB-2019.2237 ESB-2019.2233 Original Bulletin: https://security-tracker.debian.org/tracker/DLA-1832-1 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : libvirt Version : 1.2.9-9+deb8u7 CVE IDs : CVE-2019-10161 CVE-2019-10167 Two vulnerabilities were discovered in libvirt, an abstraction API for different underlying virtualisation mechanisms provided by the kernel, etc. * CVE-2019-10161: Prevent an vulnerability where readonly clients could use the API to specify an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause a denial of service or otherwise cause libvirtd to execute arbitrary programs. * CVE-2019-10167: Prevent an arbitrary code execution vulnerability via the API where a user-specified binary used to probe the domain's capabilities. read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges. For Debian 8 "Jessie", these issues have been fixed in libvirt version 1.2.9-9+deb8u7. We recommend that you upgrade your libvirt packages. Regards, - - -- ,''`. : :' : Chris Lamb `. `'` email@example.com / chris-lamb.co.uk `- - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl0RI8EACgkQHpU+J9Qx Hlg5NxAAl/BhcqB/Iuims+QuzwKMI/8KY75jXEEwTG5X7hQYyHgTQosYchRxV3ga qJz1oIEzzP3TeaQYRP3hNSNZtppfb1fAKXoHnDBWIt8eN5sLMD+UqRE3r5VwqTBT cepOdnjSB3bGvEaWavSJIDDi98++oXBBb9MS8ZD+I/HSooheGO8Q0qSQSnF2m0FC 1V4GBMlgroRyQXAXxK4OB+Dgp1KVhXEsZNSBUHGc/ctSayZyBay1Kle0UbRQukHP mjS4NkuCrU6f36V26Y/tcay4EDOB4RcS628gTSO2yy+k68OzjlzC2IVIUW39iUuF jZw4ceeH6u1R/SxOf8xYwR/oXaB+fa8yocvScTodOeN/hEIn2SkT9ewCP53lSkww pZu5WyOGAmHT0XbvHkbeI5ZHS1tS/p7QzX3FTC5gDWV2jHF3eMjDYHwHA3Zxh4x9 PjiSOp1SDgLRSjKOWUojOGJLswoLzGjU3ighNrZzPHKqUDMs9xQtMIiJAxwWBcNO jRjLZLAfePtr+f/KbSTD3eJ6Xc/6s6ioLbhsOJWxaGfkyvovcS2owmkSjDqoCLiq nFTJtAvCSltg4yMleKhwNmIoUuV+VIliYCST46Iic6SBziSEjfjn9Htf+81smKEp Xhtufm6KHLqfJi7iiLgnY+jgoG+VnhcYsY59hxh6fsjEpn/+L8s= =2mv1 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXRFp3maOgq3Tt24GAQhMAhAA0R0bu4CQoNV46CxHNfGM87hhhXnCDp0t 9yNOomEYNMN/Jv3Nd3s4CDcthAh5lptadUijorWDAGXBQ2ODF36eNF/MUqOsOBxm NLBFD2n5ouKKH+dSljN+htEvbABbO2zTO2srS9TSey/KVT+9npi/h18l6/tZjrw8 a0+bM9lTH4a9IBOKbDI/7igDKEeGOyYFlBrxXaIE6QrONCwpIMHmrHXmUIoZ2gj/ 2TQQTVs5ZntySpcUocF4AMzK7WeRfyyuetbRPSy+TZOWL6bgWqIscyax5sUnMLOd ans2bEhGpTWDkYbKHT2Z8I4GXJcL41pPUbd0QMIKWVXQ4WSYFH7Q7OFOt7xv5jmq FhbBEAZzfOaWPoCm/UirNYHaZApjU8mi3dV14Qhm5erHD9Y0RWv5pjIxD9I1zSru Yr3EooGigb4r2/KLOdJoMjaMkLp3tRfMFAa+Fp5UDfyNhu4dzRvEYboY6QfSx14Z gk6aidVgPdF/L0BgHKgHfV5SI9Szk354zW7hUi6Cn9GwGcvqvexStUzBaeqvAnuk S630kzOGmrCjRQVB04/IUEVeuUrKCtWy/b86o5tfd6HyKs9aUfw9m+TsQ8GJBmg5 q6Jr+eokpeEdLVUXAd7h7Pt4zdPYgT+Z2+56x3rmnkwhsy9WJI9k2dHTaU9wRdKx tVq8vwQA8v4= =iH4N -----END PGP SIGNATURE-----