-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4469-1 security@xxxxxxxxxx https://www.debian.org/security/ Salvatore Bonaccorso June 22, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libvirt CVE ID : CVE-2019-10161 CVE-2019-10167 Two vulnerabilities were discovered in Libvirt, a virtualisation abstraction library, allowing an API client with read-only permissions to execute arbitrary commands via the virConnectGetDomainCapabilities API, or read or execute arbitrary files via the virDomainSaveImageGetXMLDesc API. Additionally the libvirt's cpu map was updated to make addressing CVE-2018-3639, CVE-2017-5753, CVE-2017-5715, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130 and CVE-2019-11091 easier by supporting the md-clear, ssbd, spec-ctrl and ibpb CPU features when picking CPU models without having to fall back to host-passthrough. For the stable distribution (stretch), these problems have been fixed in version 3.0.0-4+deb9u4. We recommend that you upgrade your libvirt packages. For the detailed security status of libvirt please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libvirt Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0OXUhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SDEw//TQJ0CQdeuADmjoGfnEyOPSf4hfcWFCZyF1H+oEgQ35MTIaxtHf/JgE32 BxeE6ZytyzpO3kGgptc5kNEThJ1oJJ5ClCSY75S/75pIQP5PlNSSvqKHDv6gX0zv 2FTV2T/KY1jXmpOe5jkH8RJSh3PIz37+mZgi/KqfaBNhcbO9JuIQreYxQl5woHk6 flK+g0s6sq5xPXzH+p88xMLgQAZ3LivTqsKDTy9anNQlHbJCw1TfWEBOL9BPpctU ABXu2QanPTTQe5weCHBG+BwskUeqVS7WjQsgCtnKsaVA6MLf9KfSv/3CjwRmUetw yGFXncfgnOmwx3QRBNlpw1zUqxpee9uU5dWOw8AsfJDUu13MHXchjUAzxiGKbFnS w8S3i1hcD4x92/FwMSxu9T18QCXDbTSFDyPx7sIMY+0IlbhA5a4UsH5FdinCJNE3 Y8MOBJymywAhpD2aD5LytJZKJrPcLjTgbeF9PNLg09pzHPp80SNArOJEbRBaa/1R kEk4R5ptHgOh79axYgDWgMoqw3rlVIAL8nh+7511k0BC1hPUvijUpbWrLRTbWMTT TCq9CZPelblbGO9etSMPHVNDOy20+Go1ad6G7lkHgmooKZFyCnNZzk7o0RBJC8on DjZ7rK+vLNH9TzYCHWdLd9eJs73emvrOalgq3Nwvb/OasobJwPQ= =MlBA -----END PGP SIGNATURE-----