File _patchinfo of Package patchinfo.11425
<patchinfo incident="11425">
<issue tracker="bnc" id="1138301">VUL-0: EMBARGOED: CVE-2019-10161: libvirt: api: disallow virDomainSaveImageGetXMLDesc on read-only connections</issue>
<issue tracker="bnc" id="1138303">VUL-0: EMBARGOED: CVE-2019-10167: libvirt: api: disallow virConnectGetDomainCapabilities on read-only connections</issue>
<issue tracker="bnc" id="1138302">VUL-0: EMBARGOED: CVE-2019-10166: libvirt: api: disallow virDomainManagedSaveDefineXML on read-only connections</issue>
<issue tracker="bnc" id="1136109">libvirt should require systemd-container</issue>
<issue tracker="cve" id="2019-10161"/>
<issue tracker="cve" id="2019-10167"/>
<issue tracker="cve" id="2019-10166"/>
<category>security</category>
<rating>important</rating>
<packager>jfehlig</packager>
<description>This update for libvirt fixes the following issues:
Security issues fixed:
- CVE-2019-10161: Fixed virDomainSaveImageGetXMLDesc API which could accept a path
parameter pointing anywhere on the system and potentially leading to execution
of a malicious file with root privileges by libvirtd (bsc#1138301).
- CVE-2019-10166: Fixed an issue with virDomainManagedSaveDefineXML which could have
been used to alter the domain's config used for managedsave or execute arbitrary
emulator binaries (bsc#1138302).
- CVE-2019-10167: Fixed an issue with virConnectGetDomainCapabilities API which
could have been used to execute arbitrary emulators (bsc#1138303).
Other issue addressed:
- spec: add systemd-container dependency to qemu and lxc drivers (bsc#1136109).
</description>
<summary>Security update for libvirt</summary>
</patchinfo>