Bugzilla – Bug 1138305
VUL-0: CVE-2019-10168: libvirt: api: disallow virConnect*HypervisorCPU on read-only connections
Last modified: 2019-07-20 10:10:51 UTC
via libvirt security, reported by Matthias These APIs can be used to execute arbitrary emulators. Forbid them on read-only connections. Fixes: CVE-2019-10168 Signed-off-by: Ján Tomko <jtomko@redhat.com>
Created attachment 807637 [details] CVE-2019-10168.patch CVE-2019-10168.patch
This bug affects SLE12 SP5, SLE15 SP1, and TW.
CRD: 2019-06-20 12:00UTC
This is an autogenerated message for OBS integration: This bug (1138305) was mentioned in https://build.opensuse.org/request/show/711170 Factory / libvirt
SUSE-SU-2019:1643-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1138301,1138302,1138303,1138305 CVE References: CVE-2019-10161,CVE-2019-10166,CVE-2019-10167,CVE-2019-10168 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): libvirt-5.1.0-8.6.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): libvirt-5.1.0-8.6.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): libvirt-5.1.0-8.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
is public now
I think this one can be closed as well. The fix has been released for SLE15 SP1 and Factory, and I've submitted it for next SLE12 SP5 milestone.
done
openSUSE-SU-2019:1753-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1138301,1138302,1138303,1138305 CVE References: CVE-2019-10161,CVE-2019-10166,CVE-2019-10167,CVE-2019-10168 Sources used: openSUSE Leap 15.1 (src): libvirt-5.1.0-lp151.7.3.1