2015-12-23
ALT-BU-2015-2819-1
Branch sisyphus update bulletin.
Closed vulnerabilities
Published: 2016-05-25
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2014-3672
The qemu implementation in libvirt before 1.3.0 and Xen allows local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr.
Severity: MEDIUM (6.5)
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
References:
- [oss-security] 20160524 CVE-2014-3672 libvirt: DoS via excessive logging
- [oss-security] 20160524 CVE-2014-3672 libvirt: DoS via excessive logging
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- 1035945
- 1035945
- http://xenbits.xen.org/xsa/advisory-180.html
- http://xenbits.xen.org/xsa/advisory-180.html
- https://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=0d968ad715475a1660779bcdd2c5b38ad63db4cf
- https://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=0d968ad715475a1660779bcdd2c5b38ad63db4cf
- https://libvirt.org/news-2015.html
- https://libvirt.org/news-2015.html
Published: 2016-04-12
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2015-5313
Directory traversal vulnerability in the virStorageBackendFileSystemVolCreate function in storage/storage_backend_fs.c in libvirt, when fine-grained Access Control Lists (ACL) are in effect, allows local users with storage_vol:create ACL but not domain:write permission to write to arbitrary files via a .. (dot dot) in a volume name.
Severity: LOW (2.5)
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
References:
- http://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=034e47c338b13a95cf02106a3af912c1c5f818d7
- http://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=034e47c338b13a95cf02106a3af912c1c5f818d7
- FEDORA-2015-30b347dff1
- FEDORA-2015-30b347dff1
- RHSA-2016:2577
- RHSA-2016:2577
- http://security.libvirt.org/2015/0004.html
- http://security.libvirt.org/2015/0004.html
- 90913
- 90913
- GLSA-201612-10
- GLSA-201612-10
- [libvirt] 20151211 [PATCH] CVE-2015-5313: storage: don't allow '/' in filesystem volume names
- [libvirt] 20151211 [PATCH] CVE-2015-5313: storage: don't allow '/' in filesystem volume names
Closed vulnerabilities
Published: 2015-02-12
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2014-9512
rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path.
Severity: MEDIUM (6.4)
References:
- openSUSE-SU-2015:0249
- openSUSE-SU-2015:0249
- openSUSE-SU-2016:1671
- openSUSE-SU-2016:1671
- openSUSE-SU-2016:1695
- openSUSE-SU-2016:1695
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- 76093
- 76093
- 1034786
- 1034786
- USN-2879-1
- USN-2879-1
- http://xteam.baidu.com/?p=169
- http://xteam.baidu.com/?p=169
- https://bugzilla.samba.org/show_bug.cgi?id=10977
- https://bugzilla.samba.org/show_bug.cgi?id=10977
- GLSA-201605-04
- GLSA-201605-04
- https://support.apple.com/kb/HT211168
- https://support.apple.com/kb/HT211168
- https://support.apple.com/kb/HT211170
- https://support.apple.com/kb/HT211170
- https://support.apple.com/kb/HT211171
- https://support.apple.com/kb/HT211171
- https://support.apple.com/kb/HT211175
- https://support.apple.com/kb/HT211175
- https://support.apple.com/kb/HT211289
- https://support.apple.com/kb/HT211289
Closed bugs
Segmentation fault при запуске через digger /A