[PATCH 2/3] NEWS: Mention security bug in storage pool object lookup (CVE-2021-3667)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx>
---
 NEWS.rst | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/NEWS.rst b/NEWS.rst
index 37f3c48d88..d791b34efb 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -11,6 +11,15 @@ For a more fine-grained view, use the `git log`_.
 v7.6.0 (unreleased)
 ===================

+* **Security**
+
+  * storage: Unlock pool objects on ACL check failures in ``storagePoolLookupByTargetPath`` (CVE-2021-3667)
+
+    A logic bug in ``storagePoolLookupByTargetPath`` where the storage pool
+    object was left locked after a failure of the ACL check could potentially
+    deprive legitimate users access to a storage pool object by users who don't
+    have access.
+
 * **New features**

   * qemu: Incremental backup support via ``virDomainBackupBegin``
-- 
2.31.1




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux