Gentoo FoundationMGASA-2019-0390Updated libvirt packages fix security vulnerabilities
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.005 Low
EPSS
Percentile
76.1%
Updated libvirt packages fix security vulnerabilities: An information leak which allowed to retrieve the guest hostname under readonly mode (CVE-2019-3886). Wrong permissions in systemd admin-sock due to missing SocketMode parameter (CVE-2019-10132). Arbitrary file read/exec via virDomainSaveImageGetXMLDesc API (CVE-2019-10161). virDomainManagedSaveDefineXML API exposed to readonly clients (CVE-2019-10166). Arbitrary command execution via virConnectGetDomainCapabilities API (CVE-2019-10167). Arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs (CVE-2019-10168). Also, this update contains the libvirt adjustments, that pass through the new ‘md-clear’ CPU flag, to help address Intel CPU speculative execution flaws.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Mageia | 7 | noarch | libvirt | < 5.5.0-1 | libvirt-5.5.0-1.mga7 |
| Mageia | 7 | noarch | python-libvirt | < 5.5.0-1 | python-libvirt-5.5.0-1.mga7 |
Related
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.005 Low
EPSS
Percentile
76.1%