GNU bug report logs - #36634
Virtual Machine Manager (virt-manager)

Previous Next

Package: guix;

Reported by: Raghav Gururajan <rvgn <at> disroot.org>

Date: Sat, 13 Jul 2019 05:08:02 UTC

Severity: important

Done: Brice Waegeneire <brice <at> waegenei.re>

Bug is archived. No further changes may be made.

Full log

Message #53 received at 36634 <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: Christopher Baines <mail <at> cbaines.net>, 36634 <at> debbugs.gnu.org,
 Chris Marusich <cmmarusich <at> gmail.com>
Subject: Re: bug#36634: Virtual Machine Manager (virt-manager)
Date: Mon, 23 Sep 2019 06:30:14 +0200

[Message part 1 (text/plain, inline)]
Chrisen,

Chris Marusich 写道:
> In the meantime, should we revert to version 5.4.0 in Guix?  I'm 
> not
> sure if there are any security vulnerabilities between 5.4.0 and 
> the
> most recent release, but this bug is currently preventing me 
> from
> creating any VMs at all in Guix using virt-manager, which is 
> pretty bad.

Yes! (which is why I originally updated this package):

 v5.5.0 (2019-07-02)
   Security
       api: Prevent access to several APIs over read-only 
       connections
           Certain APIs give root-equivalent access to the host, 
           and as
           such should be limited to privileged 
           users. CVE-2019-10161,
           CVE-2019-10166, CVE-2019-10167, CVE-2019-10168.

 ­ https://libvirt.org/news.html

It might be easy to backport.  I didn't try, and I no longer use 
libvirt myself.

What's weird (maybe; I haven't kept up with the thread) is that I 
used libvirt 5.5.0 (and yes, it was 5.5.0) for a while without 
problems.  I don't remember whether I created any *new* VMs, 
though.

Kind regards,

T G-R

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 5 years and 55 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.