libvirt security, bug fix, and enhancement update

2019-08-1300:00:00

linux.oracle.com

0.005 Low

EPSS

Percentile

76.1%

JSON

[4.5.0-23]

api: disallow virDomainSaveImageGetXMLDesc on read-only connections (CVE-2019-10161)
api: disallow virDomainManagedSaveDefineXML on read-only connections (CVE-2019-10166)
api: disallow virConnectGetDomainCapabilities on read-only connections (CVE-2019-10167)
api: disallow virConnect*HypervisorCPU on read-only connections (CVE-2019-10168)
[4.5.0-22]
qemu: Drop cleanup label from qemuProcessInitCpuAffinity() (rhbz#1718172)
qemu: Fix NULL pointer access in qemuProcessInitCpuAffinity() (rhbz#1718172)
[4.5.0-21]
cpu_conf: Fix XPath for parsing TSC frequency (rhbz#1641702)
[4.5.0-20]
util: alloc: add macros for implementing automatic cleanup functionality (rhbz#1703661)
util: bitmap: define cleanup function using VIR_DEFINE_AUTOPTR_FUNC (rhbz#1703661)
util: Introduce virBitmapUnion() (rhbz#1703661)
util: Introduce virNumaNodesetToCPUset() (rhbz#1703661)
qemu: Fix qemuProcessInitCpuAffinity() (rhbz#1703661)
qemu: Fix leak in qemuProcessInitCpuAffinity() (rhbz#1703661)
[4.5.0-19]
virfile: added GPFS as shared fs (rhbz#1710728)
util: file: introduce VIR_AUTOCLOSE macro to close fd of the file automatically (rhbz#1641702)
vircpuhost: Add support for reading MSRs (rhbz#1641702)
virhostcpu: Make virHostCPUGetMSR() work only on x86 (rhbz#1641702)
qemu: Make virQEMUCapsProbeHostCPUForEmulator more generic (rhbz#1641702)
qemuargv2xmltest: Use mocked virQEMUCapsProbeHostCPU (rhbz#1641702)
util: Add virHostCPUGetTscInfo (rhbz#1641702)
conf: Report TSC frequency in host CPU capabilities (rhbz#1641702)
cpu_x86: Fix placement of *CheckFeature functions (rhbz#1641702)
cpu_x86: Probe TSC frequency and scaling support (rhbz#1641702)
qemu: Check TSC frequency before starting QEMU (rhbz#1641702)
util: Propagate numad failures correctly (rhbz#1716387)
[4.5.0-18]
admin: reject clients unless their UID matches the current UID (CVE-2019-10132)
locking: restrict sockets to mode 0600 (CVE-2019-10132)
logging: restrict sockets to mode 0600 (CVE-2019-10132)
util: require command args to be non-NULL (rhbz#1672957)
qemu: use line breaks in command line args written to log (rhbz#1672957)
[4.5.0-17]
cpu_map: Add support for cldemote CPU feature (rhbz#1537777)
cputest: Add data for Intel® Xeon® CPU E3-1225 v5 (CVE-2018-12126, CVE-2018-12127, CVE-2019-11091, CVE-2018-12130)
cpu_map: Define md-clear CPUID bit (CVE-2018-12126, CVE-2018-12127, CVE-2019-11091, CVE-2018-12130)
[4.5.0-16]
Handle copying bitmaps to larger data buffers (rhbz#1703159)
nwfilter: fix adding std MAC and IP values to filter binding (rhbz#1691358)
util: suppress unimportant ovs-vsctl errors when getting interface stats (rhbz#1683175)
[4.5.0-15]
qemu_hotplug: Initialize @charAlias in qemuDomainRemoveChrDevice (rhbz#1658198)
[4.5.0-14]
cpu_map: Add features for Icelake CPUs (rhbz#1527659, rhbz#1526624)
cpu_map: Add Icelake CPU models (rhbz#1526624)
cpu_x86: Do not cache microcode version (rhbz#1576369)
qemu: Dont cache microcode version (rhbz#1576369)
util: Rename some functions of virresctrl (rhbz#1468650)
util: Refactor virResctrlGetInfo in virresctrl (rhbz#1468650)
util: Refactor virResctrlAllocFormat of virresctrl (rhbz#1468650)
util: Add MBA capability information query to resctrl (rhbz#1468650)
util: Add MBA check to virResctrlInfoGetCache (rhbz#1468650)
util: Add MBA allocation to virresctrl (rhbz#1468650)
util: Add MBA schemata parse and format methods (rhbz#1468650)
util: Add support to calculate MBA utilization (rhbz#1468650)
util: Introduce virResctrlAllocForeachMemory (rhbz#1468650)
util: Introduce virResctrlAllocSetMemoryBandwidth (rhbz#1468650)
conf: Rename cachetune to resctrl (rhbz#1468650)
conf: Factor out vcpus parsing part from virDomainCachetuneDefParse (rhbz#1468650)
conf: Factor out vcpus overlapping from virDomainCachetuneDefParse (rhbz#1468650)
conf: Factor out virDomainResctrlDef update from virDomainCachetuneDefParse (rhbz#1468650)
conf: Add support for memorytune XML processing for resctrl MBA (rhbz#1468650)
conf: Add return value check to virResctrlAllocForeachCache (rhbz#1468650)
conf: Add memory bandwidth allocation capability of host (rhbz#1468650)
conf: Fix bug in finding alloc through matching vcpus (rhbz#1468650)
resctrl: Do not calculate free bandwidth for MBA (rhbz#1468650)
resctrl: Set MBA defaults properly (rhbz#1468650)
resctrl: Fix testing line (rhbz#1468650)
virresctrl: fix MBA memory leak (rhbz#1468650)
test: caps: Add capabilities for QEMU 3.1.0 (rhbz#1628892)
util: Introduce virHostGetDRMRenderNode helper (rhbz#1628892)
conf: Introduce virDomainGraphics-related helpers (rhbz#1628892)
qemu: process: spice: Pick the first available DRM render node (rhbz#1628892)
qemu: command: Introduce qemuBuildGraphicsEGLHeadlessCommandLine helper (rhbz#1628892)
qemu: caps: Introduce QEMU_EGL_HEADLESS_RENDERNODE capability (rhbz#1628892)
conf: gfx: Add egl-headless as a member to virDomainGraphicsDef struct (rhbz#1628892)
conf: gfx: egl-headless: Introduce a new
subelement (rhbz#1628892)
qemu: domain: egl-headless: Add the DRI device into the namespace (rhbz#1628892)
qemu: cgroup: gfx: egl-headless: Add the DRI device into the cgroup list (rhbz#1628892)
security: dac: gfx: egl-headless: Relabel the DRI device (rhbz#1628892)
qemu: command: gfx: egl-headless: Add ‘rendernode’ option to the cmdline (rhbz#1628892)
domain: conf: graphics: Fix picking DRI renderer automatically for SPICE (rhbz#1628892)
qemu: domain: gfx: Fix shadowing of a function argument in validation (rhbz#1628892)
[4.5.0-13]
storage: Extract out mount command creation for FS Backend (rhbz#1584663)
storage: Move FS backend mount creation command helper (rhbz#1584663)
storage: Move virStorageBackendFileSystemGetPoolSource (rhbz#1584663)
tests: Introduce tests for storage pool xml to argv checks (rhbz#1584663)
tests: Add storagepool xml test for netfs-auto (rhbz#1584663)
storage: Rework virStorageBackendFileSystemMountCmd (rhbz#1584663)
storage: Add default mount options for fs/netfs storage pools (rhbz#1584663)
conf: Add optional NFS Source Pool
option (rhbz#1584663)
storage: Add the nfsvers to the command line (rhbz#1584663)
virsh: Add source-protocol-ver for pool commands (rhbz#1584663)
RHEL: conf: storage: Fix a memory leak in virStoragePoolDefParseSource (rhbz#1584663)
tests: Reuse qemucapabilities data for qemucaps2xml (rhbz#1628469)
tests: Add more tests to qemucaps2xml (rhbz#1628469)
qemu: Drop QEMU_CAPS_ENABLE_KVM (rhbz#1628469)
qemu: Avoid probing non-native binaries all the time (rhbz#1628469)
qemu: Clarify QEMU_CAPS_KVM (rhbz#1628469)
qemu: Dont check for /dev/kvm presence (rhbz#1628469)
tests: Follow up on qemucaps2xmldata rename (rhbz#1628469)
qemu: hotplug: Dont generate alias when detaching disk (rhbz#1658198)
qemu: hotplug: Dont generate alias when detaching controllers (rhbz#1658198)
tests: add channel-unix-guestfwd (rhbz#1658198)
qemu: Use @tmpChr in qemuDomainDetachChrDevice to build device string (rhbz#1658198)
qemuL: Drop ‘user-’ prefix for guestfwd netdev (rhbz#1658198)
qemu_hotplug: Attach guestfwd using netdev_add (rhbz#1658198)
qemu_hotplug: Detach guestfwd using netdev_del (rhbz#1658198)
qemuhotplugtest: Test guestfwd attach and detach (rhbz#1658198)
qemu_hotplug: Dont build device string in qemuDomainDetachChrDevice (rhbz#1658198)
qemu_hotplug: Assume chardev alias always exists in qemuDomainDetachChrDevice (rhbz#1658198)
qemu: fix device name passed to error report (rhbz#1658198)
qemu_hotplug: Properly check for qemuMonitorDelDevice retval (rhbz#1658198)
qemu_hotplug: Introduce and use qemuDomainDeleteDevice (rhbz#1658198)
qemu: hotplug: Remove ‘ret’ variable in qemuDomainDetachDeviceDiskLive (rhbz#1658198)
qemu: hotplug: Use typecasted enum in qemuDomainDetachDeviceDiskLive (rhbz#1658198)
qemu: hotplug: Use switch statement for selecting disk bus function (rhbz#1658198)
qemu: hotplug: Merge virtio and non-virtio disk unplug code (rhbz#1658198)
qemu_hotplug: remove unnecessary check for valid PCI address (rhbz#1658198)
qemu_hotplug: rename a virDomainDeviceInfoPtr to avoid confusion (rhbz#1658198)
qemu_hotplug: eliminate multiple identical qemuDomainDetachHost*Device() functions (rhbz#1658198)
qemu_hotplug: eliminate unnecessary call to qemuDomainDetachNetDevice() (rhbz#1658198)
qemu_hotplug: refactor qemuDomainDetachDiskLive and qemuDomainDetachDiskDevice (rhbz#1658198)
qemu_hotplug: dont call DetachThisHostDevice for hostdev network devices (rhbz#1658198)
qemu_hotplug: merge qemuDomainDetachThisHostDevice into qemuDomainDetachHostDevice (rhbz#1658198)
qemu_hotplug: move qemuDomainChangeGraphicsPasswords() (rhbz#1658198)
qemu_hotplug: move (almost) all qemuDomainDetach*() functions together (rhbz#1658198)
qemu_hotplug: move (Attach|Detach)Lease functions with others of same type (rhbz#1658198)
qemu_hotplug: move qemuDomainDetachDeviceLive() to qemu_hotplug.c (rhbz#1658198)
qemu_hotplug: remove extra function in middle of DetachController call chain (rhbz#1658198)
qemu_hotplug: pull qemuDomainUpdateDeviceList out of qemuDomainDetachDeviceLive (rhbz#1658198)
test: replace calls to individual detach functions with one call to main detach (rhbz#1658198)
qemu_hotplug: make Detach functions called only from qemu_hotplug.c static (rhbz#1658198)
qemu_hotplug: rename dev to match in qemuDomainDetachDeviceLive (rhbz#1658198)
qemu_hotplug: separate Chr|Lease from other devices in DetachDevice switch (rhbz#1658198)
qemu_hotplug: standardize the names/args/calling of qemuDomainDetach*() (rhbz#1658198)
qemu_hotplug: rename Chr and Lease Detach functions (rhbz#1658198)
qemu_hotplug: new function qemuDomainRemoveAuditDevice() (rhbz#1658198)
qemu_hotplug: audit all auditable device types in qemuDomainRemoveAuditDevice (rhbz#1658198)
qemu_hotplug: consolidate all common detach code in qemuDomainDetachDeviceLive (rhbz#1658198)
qemu_hotplug: dont shutdown net device until the guest has released it (rhbz#1658198)
qemu_hotplug: delay sending DEVICE_REMOVED event until after all teardown (rhbz#1658198)
conf: Expose virDomainSCSIDriveAddressIsUsed (rhbz#1692296)
qemuhotplugtest: Dont plug a SCSI disk at unit 7 (rhbz#1692296)
qemu_hotplug: Check for duplicate drive addresses (rhbz#1692296)
qemu: Rework setting process affinity (rhbz#1695434)
qemu: Set up EMULATOR thread and cpuset.mems before exec()-ing qemu (rhbz#1695434)
[4.5.0-12]
src: Document autostart for session demon (rhbz#1501450)
nwfilter: Add extra verbiage for binding create/delete (rhbz#1609454)
qemu: Remove duplicated qemuAgentCheckError (rhbz#1663051, CVE-2019-3840)
qemu: require reply from guest agent in qemuAgentGetInterfaces (rhbz#1663051, CVE-2019-3840)
virsh: Add missed fields to pool-define-as item entry (rhbz#1615680)
qemu: Add entry for balloon stat stat-disk-caches (rhbz#1690122)
qemu: Set identity for the reconnect all thread (rhbz#1631622)
docs: schemas: Fix missing timestamp inside backingStore (rhbz#1594266)
storage: Remove secretPath from _virStorageBackendQemuImgInfo (rhbz#1613737)
storage: Allow for inputvol to have any format for encryption (rhbz#1613737)
storage: Allow inputvol to be encrypted (rhbz#1613737)
virsh: man: Document quirks of device-detach and friends (rhbz#1688961)
virsh: man: Document asynchronous behaviour of detach-device-alias (rhbz#1688961)
access: Modify the VIR_ERR_ACCESS_DENIED to include driverName (rhbz#1631606)
qemu: Put format=raw onto cmd line for SCSI passthrough (rhbz#1632833)
virnwfilterbindingobj: Introduce and use virNWFilterBindingObjStealDef (rhbz#1686927)
logging: ensure pending I/O is drained before reading position (rhbz#1660531)
conf: Fix check for chardev source path (rhbz#1609720)
util: skip RDMA detection for non-PCI network devices (rhbz#1639258)
qemu: Set job statsType for external memory snapshot (rhbz#1690703)
virsh: Strip XML declaration when extracting CPU XMLs (rhbz#1592737)
virsh: Require explicit --domain for domxml-to-native (rhbz#1633077)
[4.5.0-11]
security: dac: also label listen UNIX sockets (rhbz#1633389)
qemu: fix up permissions for pre-created UNIX sockets (rhbz#1633389)
virFileIsSharedFSType: Check for fuse.glusterfs too (rhbz#1632711)
virfile: fix cast-align error (rhbz#1632711)
virfiletest: Fix test name prefix for virFileInData test (rhbz#1632711)
virfiletst: Test virFileIsSharedFS (rhbz#1632711)
virFileIsSharedFSType: Detect direct mount points (rhbz#1632711)
virfile: Rework virFileIsSharedFixFUSE (rhbz#1632711)
virfile: Take symlink into account in virFileIsSharedFixFUSE (rhbz#1640465)
qemu: Properly report VIR_DOMAIN_EVENT_RESUMED_FROM_SNAPSHOT (rhbz#1612943)
qemu: Report more appropriate running reasons (rhbz#1612943)
qemu: Pass running reason to RESUME event handler (rhbz#1612943)
qemu: Map running reason to resume event detail (rhbz#1612943)
qemu: Avoid duplicate resume events and state changes (rhbz#1612943)
qemu: Dont ignore resume events (rhbz#1612943)
qemu: Fix post-copy migration on the source (rhbz#1647365)
RHEL: cpu_map: Mark arch-facilities feature as non-migratable (rhbz#1658406)
virfile: Detect ceph as shared FS (rhbz#1665553)
util: Dont overflow in virRandomBits (rhbz#1652894)
virrandom: Avoid undefined behaviour in virRandomBits (rhbz#1652894)
RHEL: spec: Require new enough librbd1 (rhbz#1658652)
cputest: Add data for Intel® Xeon® CPU E5-2630 v4 (rhbz#1558558)
cputest: Add data for Intel® Core™ i7-7600U (rhbz#1558558)
cputest: Add data for Intel® Xeon® CPU E7540 (rhbz#1558558)
cputest: Add data for Intel® Xeon® CPU E5-2650 (rhbz#1558558)
cputest: Add data for Intel® Core™ i7-8700 (rhbz#1558558)
cpu_x86: Separate signature parsing from x86ModelParse (rhbz#1558558)
cpu_x86: Add x86ModelCopySignatures helper (rhbz#1558558)
cpu_x86: Store CPU signature in an array (rhbz#1558558)
cpu_x86: Allow multiple signatures for a CPU model (rhbz#1558558)
cpu_map: Add hex representation of signatures (rhbz#1558558)
cpu_map: Add more signatures for Conroe CPU model (rhbz#1558558)
cpu_map: Add more signatures for Penryn CPU model (rhbz#1558558)
cpu_map: Add more signatures for Nehalem CPU models (rhbz#1558558)
cpu_map: Add more signatures for Westmere CPU model (rhbz#1558558)
cpu_map: Add more signatures for SandyBridge CPU models (rhbz#1558558)
cpu_map: Add more signatures for IvyBridge CPU models (rhbz#1558558)
cpu_map: Add more signatures for Haswell CPU models (rhbz#1558558)
cpu_map: Add more signatures for Broadwell CPU models (rhbz#1558558)
cpu_map: Add more signatures for Skylake-Client CPU models (rhbz#1558558)
cpu: Dont access invalid memory in virCPUx86Translate (rhbz#1558558)
cpu_x86: Log decoded CPU model and signatures (rhbz#1558558)
util: Modify virStorageFileGetSCSIKey return (rhbz#1657468)
storage: Rework virStorageBackendSCSISerial (rhbz#1657468)
util: Introduce virStorageFileGetNPIVKey (rhbz#1657468)
storage: Fetch a unique key for vHBA/NPIV LUNs (rhbz#1657468)
RHEL: qemu: Alter @val usage in qemuSetUnprivSGIO (rhbz#1656360)
RHEL: qemu: Alter qemuSetUnprivSGIO hostdev shareable logic (rhbz#1656360)
qemu: Filter non SCSI hostdevs in qemuHostdevPrepareSCSIDevices (rhbz#1665474)
qemu: Fix logic error in qemuSetUnprivSGIO (rhbz#1669581)
qemu: Fix crash trying to use iSCSI hostdev (rhbz#1669586)

OSVersionArchitecturePackageVersionFilename
oracle linux7srclibvirt< 4.5.0-23.el7libvirt-4.5.0-23.el7.src.rpm
oracle linux7x86_64libvirt< 4.5.0-23.el7libvirt-4.5.0-23.el7.x86_64.rpm
oracle linux7x86_64libvirt-admin< 4.5.0-23.el7libvirt-admin-4.5.0-23.el7.x86_64.rpm
oracle linux7x86_64libvirt-bash-completion< 4.5.0-23.el7libvirt-bash-completion-4.5.0-23.el7.x86_64.rpm
oracle linux7i686libvirt-client< 4.5.0-23.el7libvirt-client-4.5.0-23.el7.i686.rpm
oracle linux7x86_64libvirt-client< 4.5.0-23.el7libvirt-client-4.5.0-23.el7.x86_64.rpm
oracle linux7x86_64libvirt-daemon< 4.5.0-23.el7libvirt-daemon-4.5.0-23.el7.x86_64.rpm
oracle linux7x86_64libvirt-daemon-config-network< 4.5.0-23.el7libvirt-daemon-config-network-4.5.0-23.el7.x86_64.rpm
oracle linux7x86_64libvirt-daemon-config-nwfilter< 4.5.0-23.el7libvirt-daemon-config-nwfilter-4.5.0-23.el7.x86_64.rpm
oracle linux7x86_64libvirt-daemon-driver-interface< 4.5.0-23.el7libvirt-daemon-driver-interface-4.5.0-23.el7.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
oracle linux	7	src	libvirt	< 4.5.0-23.el7	libvirt-4.5.0-23.el7.src.rpm
oracle linux	7	x86_64	libvirt	< 4.5.0-23.el7	libvirt-4.5.0-23.el7.x86_64.rpm
oracle linux	7	x86_64	libvirt-admin	< 4.5.0-23.el7	libvirt-admin-4.5.0-23.el7.x86_64.rpm
oracle linux	7	x86_64	libvirt-bash-completion	< 4.5.0-23.el7	libvirt-bash-completion-4.5.0-23.el7.x86_64.rpm
oracle linux	7	i686	libvirt-client	< 4.5.0-23.el7	libvirt-client-4.5.0-23.el7.i686.rpm
oracle linux	7	x86_64	libvirt-client	< 4.5.0-23.el7	libvirt-client-4.5.0-23.el7.x86_64.rpm
oracle linux	7	x86_64	libvirt-daemon	< 4.5.0-23.el7	libvirt-daemon-4.5.0-23.el7.x86_64.rpm
oracle linux	7	x86_64	libvirt-daemon-config-network	< 4.5.0-23.el7	libvirt-daemon-config-network-4.5.0-23.el7.x86_64.rpm
oracle linux	7	x86_64	libvirt-daemon-config-nwfilter	< 4.5.0-23.el7	libvirt-daemon-config-nwfilter-4.5.0-23.el7.x86_64.rpm
oracle linux	7	x86_64	libvirt-daemon-driver-interface	< 4.5.0-23.el7	libvirt-daemon-driver-interface-4.5.0-23.el7.x86_64.rpm