Mageia alert MGASA-2014-0401 (libvirt)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2014-0401: Updated libvirt packages fix security vulnerbilities 
Date:
    	     
 
Tue, 7 Oct 2014 11:23:16 +0200
Message-ID:
    	     
 
<20141007092316.1FA365CA4D@valstar.mageia.org>
MGASA-2014-0401 - Updated libvirt packages fix security vulnerbilities

Publication date: 07 Oct 2014
URL: http://advisories.mageia.org/MGASA-2014-0401.html
Type: security
Affected Mageia releases: 3, 4
CVE: CVE-2014-3633,
     CVE-2014-3657

Description:
Updated libvirt packages fix security vulnerabilities:

An out-of-bounds read flaw was found in the way libvirt's
qemuDomainGetBlockIoTune() function looked up the disk index in a
non-persistent (live) disk configuration while a persistent disk
configuration was being indexed. A remote attacker able to establish a
read-only connection to libvirtd could use this flaw to crash libvirtd or,
potentially, leak memory from the libvirtd process (CVE-2014-3633).

A denial of service flaw was found in the way libvirt's
virConnectListAllDomains() function computed the number of used domains.
A remote attacker able to establish a read-only connection to libvirtd
could use this flaw to make any domain operations within libvirt
unresponsive (CVE-2014-3657).

References:
- https://bugs.mageia.org/show_bug.cgi?id=14192
- https://www.redhat.com/archives/libvir-list/2014-Septembe...
- https://rhn.redhat.com/errata/RHSA-2014-1352.html
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3633
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3657

SRPMS:
- 4/core/libvirt-1.2.1-1.2.mga4
- 3/core/libvirt-1.0.2-8.6.mga3