1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
PublicDateAtUSN: 2014-01-24
Candidate: CVE-2014-0028
PublicDate: 2014-01-24
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0028
http://security.libvirt.org/2014/0002.html
http://www.ubuntu.com/usn/usn-2093-1
Description:
libvirt 1.1.1 through 1.2.0 allows context-dependent attackers to bypass
the domain:getattr and connect:search_domains restrictions in ACLs and
obtain sensitive domain object information via a request to the (1)
virConnectDomainEventRegister and (2) virConnectDomainEventRegisterAny
functions in the event registration API.
Ubuntu-Description:
Notes:
mdeslaur> introduced in 1.1.1
Bugs:
Priority: medium
Discovered-by: Eric Blake
Assigned-to: mdeslaur
Patches_libvirt:
upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=f9f56340539d609cdc2e9d4ab812b9f146c3f100
upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=1d0e4fbf9572ad34045a4f9d87601297a5244c38 (1.1.1)
upstream_libvirt: released (1.2.1)
lucid_libvirt: not-affected
precise_libvirt: not-affected
quantal_libvirt: not-affected
raring_libvirt: ignored (reached end-of-life)
saucy_libvirt: released (1.1.1-0ubuntu8.5)
devel_libvirt: not-affected (1.2.1-0ubuntu2)
|