Your message dated Mon, 04 Mar 2013 18:02:42 +0000
with message-id <[email protected]>
and subject line Bug#701649: fixed in libvirt 0.9.12-8
has caused the Debian Bug report #701649,
regarding libvirt-bin - libvirtd changes permissions of devices to
libvirt-qemu:kvm (CVE-2013-1766)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
701649: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701649
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libvirt-bin
Version: 1.0.2-2
Severity: critical
Tags: security
libvirtd changes the permissions of lvm devices it assigns to guests to
libvirt-qemu:kvm. kvm is a general group and not restricted to libvirt.
The allows other users write access to this devices.
I'm right now unsure if the Wheezy version is affected.
| brw-rw---T 1 libvirt-qemu kvm 254, 11 Feb 25 17:08 /dev/dm-11
| brw-rw---T 1 libvirt-qemu kvm 254, 12 Feb 25 17:50 /dev/dm-12
Bastian
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.7-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: libvirt
Source-Version: 0.9.12-8
We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guido Günther <[email protected]> (supplier of updated libvirt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 04 Mar 2013 16:58:19 +0100
Source: libvirt
Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev python-libvirt
Architecture: source all i386
Version: 0.9.12-8
Distribution: unstable
Urgency: low
Maintainer: Debian Libvirt Maintainers
<[email protected]>
Changed-By: Guido Günther <[email protected]>
Description:
libvirt-bin - programs for the libvirt library
libvirt-dev - development files for the libvirt library
libvirt-doc - documentation for the libvirt library
libvirt0 - library for interfacing with different virtualization systems
libvirt0-dbg - library for interfacing with different virtualization systems
python-libvirt - libvirt Python bindings
Closes: 701649
Changes:
libvirt (0.9.12-8) unstable; urgency=low
.
* [181eab1] CVE-2013-1766: Use libvirt-qemu as group to run qemu/kvm
instances. This makes sure we don't chown files to groups possibly used
by other programs. (Closes: #701649)
* [0ef17cc] Enable systemd services
Checksums-Sha1:
d5d0fe06d74e45e36480dd48244b2322506deb18 2276 libvirt_0.9.12-8.dsc
3115100b9594e9e4fca616439593002ba040389c 49067 libvirt_0.9.12-8.debian.tar.gz
83a85604f4d78d420b6c07eeb1f81e4e5cbe8f96 2174384 libvirt-doc_0.9.12-8_all.deb
c62a61f840d036b53f3e1397f62eb4a61e064d05 2334504 libvirt-bin_0.9.12-8_i386.deb
355e2ca6ff1e79359e4c2a237665c56f12070519 2122194 libvirt0_0.9.12-8_i386.deb
7ab90c862608d278c491f92342198126009bf622 7471286 libvirt0-dbg_0.9.12-8_i386.deb
2800da4ad16e8d4805b0025c9aa744bb8860e1b6 2503928 libvirt-dev_0.9.12-8_i386.deb
2d2b5d2f0780dccc97a9ad16f47c88b1243035cc 1420672
python-libvirt_0.9.12-8_i386.deb
Checksums-Sha256:
ee8fde57035ebac6df71e443fbacc51911e891a05403cdaa6328ac724b8fa2e4 2276
libvirt_0.9.12-8.dsc
88d59c2b6dfb0492419823f521ae729351c1089b2e69795837eee15fe921bdf9 49067
libvirt_0.9.12-8.debian.tar.gz
fe7caec05310d2b70111a4d639dc4bdb0f7f6af57b815659a315f363af054ec0 2174384
libvirt-doc_0.9.12-8_all.deb
c271187eb1865f17176dfdc7afec669d243d05a4493d5b768f81cb061e1794eb 2334504
libvirt-bin_0.9.12-8_i386.deb
945e26b16d3f7b66323316e1238a1f94f09006d0500e831e683682fa18dead8e 2122194
libvirt0_0.9.12-8_i386.deb
7d0bcf85e5d61d3df83e0543e39a628f1f96f2c8b2ff3d2f610389ad3e5b4000 7471286
libvirt0-dbg_0.9.12-8_i386.deb
80aea142bda34254db89512f6d205af0805137633b80bcab7140c962b1f5ec5d 2503928
libvirt-dev_0.9.12-8_i386.deb
fcca4d4f02fa12e25241b6b554de8e017c897f50ff3537f1d92c13a45c11666b 1420672
python-libvirt_0.9.12-8_i386.deb
Files:
c9b318c258fbdfe94c414f6d6be16ddb 2276 libs optional libvirt_0.9.12-8.dsc
fa14f79b190286a6144f276b0db0a218 49067 libs optional
libvirt_0.9.12-8.debian.tar.gz
ec4008f10f0787de054bfc42309f4732 2174384 doc optional
libvirt-doc_0.9.12-8_all.deb
fbbb23c4ca2e6ec97144f7b9ae667446 2334504 admin optional
libvirt-bin_0.9.12-8_i386.deb
fa2ef16d15df7df68141188f37b0c6c4 2122194 libs optional
libvirt0_0.9.12-8_i386.deb
2a13db024b31f23cb95c2af0aa1dafcc 7471286 debug extra
libvirt0-dbg_0.9.12-8_i386.deb
8c7e0958d67c3af46a728631bdb2dc72 2503928 libdevel optional
libvirt-dev_0.9.12-8_i386.deb
a5f867b4ed3b827d546334458e06b662 1420672 python optional
python-libvirt_0.9.12-8_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFRNNsUn88szT8+ZCYRAvddAJ0Ta+Ms9ABWnnDWVuUt6CGr5+QkaQCdGSPj
pv1jolf8HrFaqlLHZEMZgCg=
=R+Na
-----END PGP SIGNATURE-----
--- End Message ---
