[Pkg-libvirt-maintainers] Bug#887700: Bug#887700: libvirt: CVE-2018-5748: resource exhaustion via qemuMonitorIORead() method
Guido Günther
agx at sigxcpu.org
Fri Jan 19 08:45:13 UTC 2018
control: -1 found 0.9.12.3-1+deb7u2
Hi Salvatore,
On Fri, Jan 19, 2018 at 09:00:03AM +0100, Salvatore Bonaccorso wrote:
> Source: libvirt
> Version: 1.2.9-9
> Severity: important
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for libvirt.
>
> CVE-2018-5748[0]:
> resource exhaustion via qemuMonitorIORead() method
>
> Further reference in the Red Hat bug [1].
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-5748
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5748
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1528396
>
> Please adjust the affected versions in the BTS as needed, please
> double-check.
Thanks! I wanted to update libvirt in stretch anyway so I'll add it
there. Any reason why you picked 1.2.9-9? AFAIK none of the versions had
resource limits on monitor reads - or did I overlook something?
Cheers,
-- Guido
More information about the Pkg-libvirt-maintainers
mailing list