Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2275
Multiple vulnerabilities in libvirt affect Debian
25 June 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libvirt
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-10167 CVE-2019-10161
Reference: ESB-2019.2243
ESB-2019.2239
ESB-2019.2237
ESB-2019.2233
Original Bulletin:
https://security-tracker.debian.org/tracker/DLA-1832-1
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : libvirt
Version : 1.2.9-9+deb8u7
CVE IDs : CVE-2019-10161 CVE-2019-10167
Two vulnerabilities were discovered in libvirt, an abstraction API
for different underlying virtualisation mechanisms provided by the
kernel, etc.
* CVE-2019-10161: Prevent an vulnerability where readonly clients
could use the API to specify an arbitrary path which would be
accessed with the permissions of the libvirtd process. An attacker
with access to the libvirtd socket could use this to probe the
existence of arbitrary files, cause a denial of service or
otherwise cause libvirtd to execute arbitrary programs.
* CVE-2019-10167: Prevent an arbitrary code execution vulnerability
via the API where a user-specified binary used to probe the
domain's capabilities. read-only clients could specify an
arbitrary path for this argument, causing libvirtd to execute a
crafted executable with its own privileges.
For Debian 8 "Jessie", these issues have been fixed in libvirt
version 1.2.9-9+deb8u7.
We recommend that you upgrade your libvirt packages.
Regards,
- - --
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl0RI8EACgkQHpU+J9Qx
Hlg5NxAAl/BhcqB/Iuims+QuzwKMI/8KY75jXEEwTG5X7hQYyHgTQosYchRxV3ga
qJz1oIEzzP3TeaQYRP3hNSNZtppfb1fAKXoHnDBWIt8eN5sLMD+UqRE3r5VwqTBT
cepOdnjSB3bGvEaWavSJIDDi98++oXBBb9MS8ZD+I/HSooheGO8Q0qSQSnF2m0FC
1V4GBMlgroRyQXAXxK4OB+Dgp1KVhXEsZNSBUHGc/ctSayZyBay1Kle0UbRQukHP
mjS4NkuCrU6f36V26Y/tcay4EDOB4RcS628gTSO2yy+k68OzjlzC2IVIUW39iUuF
jZw4ceeH6u1R/SxOf8xYwR/oXaB+fa8yocvScTodOeN/hEIn2SkT9ewCP53lSkww
pZu5WyOGAmHT0XbvHkbeI5ZHS1tS/p7QzX3FTC5gDWV2jHF3eMjDYHwHA3Zxh4x9
PjiSOp1SDgLRSjKOWUojOGJLswoLzGjU3ighNrZzPHKqUDMs9xQtMIiJAxwWBcNO
jRjLZLAfePtr+f/KbSTD3eJ6Xc/6s6ioLbhsOJWxaGfkyvovcS2owmkSjDqoCLiq
nFTJtAvCSltg4yMleKhwNmIoUuV+VIliYCST46Iic6SBziSEjfjn9Htf+81smKEp
Xhtufm6KHLqfJi7iiLgnY+jgoG+VnhcYsY59hxh6fsjEpn/+L8s=
=2mv1
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXRFp3maOgq3Tt24GAQhMAhAA0R0bu4CQoNV46CxHNfGM87hhhXnCDp0t
9yNOomEYNMN/Jv3Nd3s4CDcthAh5lptadUijorWDAGXBQ2ODF36eNF/MUqOsOBxm
NLBFD2n5ouKKH+dSljN+htEvbABbO2zTO2srS9TSey/KVT+9npi/h18l6/tZjrw8
a0+bM9lTH4a9IBOKbDI/7igDKEeGOyYFlBrxXaIE6QrONCwpIMHmrHXmUIoZ2gj/
2TQQTVs5ZntySpcUocF4AMzK7WeRfyyuetbRPSy+TZOWL6bgWqIscyax5sUnMLOd
ans2bEhGpTWDkYbKHT2Z8I4GXJcL41pPUbd0QMIKWVXQ4WSYFH7Q7OFOt7xv5jmq
FhbBEAZzfOaWPoCm/UirNYHaZApjU8mi3dV14Qhm5erHD9Y0RWv5pjIxD9I1zSru
Yr3EooGigb4r2/KLOdJoMjaMkLp3tRfMFAa+Fp5UDfyNhu4dzRvEYboY6QfSx14Z
gk6aidVgPdF/L0BgHKgHfV5SI9Szk354zW7hUi6Cn9GwGcvqvexStUzBaeqvAnuk
S630kzOGmrCjRQVB04/IUEVeuUrKCtWy/b86o5tfd6HyKs9aUfw9m+TsQ8GJBmg5
q6Jr+eokpeEdLVUXAd7h7Pt4zdPYgT+Z2+56x3rmnkwhsy9WJI9k2dHTaU9wRdKx
tVq8vwQA8v4=
=iH4N
-----END PGP SIGNATURE-----