Ubuntu Security Notice USN-3576-1
20th February, 2018
libvirt vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
Several security issues were fixed in libvirt.
Software description
Vivian Zhang and Christoph Anton Mitterer discovered that libvirt
incorrectly disabled password authentication when the VNC password was set
to an empty string. A remote attacker could possibly use this issue to
bypass authentication, contrary to expectations. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5008)
Daniel P. Berrange discovered that libvirt incorrectly handled validating
SSL/TLS certificates. A remote attacker could possibly use this issue to
obtain sensitive information. This issue only affected Ubuntu 17.10.
(CVE-2017-1000256)
Daniel P. Berrange and Peter Krempa discovered that libvirt incorrectly
handled large QEMU replies. An attacker could possibly use this issue to
cause libvirt to crash, resulting in a denial of service. (CVE-2018-5748)
Pedro Sampaio discovered that libvirt incorrectly handled the libnss_dns.so
module. An attacker in a libvirt_lxc session could possibly use this issue
to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and
Ubuntu 17.10. (CVE-2018-6764)
Update instructions
The problem can be corrected by updating your system to the following package version:
Ubuntu 17.10:
libvirt0 3.6.0-1ubuntu6.3
libvirt-bin 3.6.0-1ubuntu6.3
Ubuntu 16.04 LTS:
libvirt0 1.3.1-1ubuntu10.19
libvirt-bin 1.3.1-1ubuntu10.19
Ubuntu 14.04 LTS:
libvirt0 1.2.2-0ubuntu13.1.26
libvirt-bin 1.2.2-0ubuntu13.1.26
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
References
CVE-2016-5008, CVE-2017-1000256, CVE-2018-5748, CVE-2018-6764
Continue reading...
20th February, 2018
libvirt vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Several security issues were fixed in libvirt.
Software description
- libvirt - Libvirt virtualization toolkit
Vivian Zhang and Christoph Anton Mitterer discovered that libvirt
incorrectly disabled password authentication when the VNC password was set
to an empty string. A remote attacker could possibly use this issue to
bypass authentication, contrary to expectations. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5008)
Daniel P. Berrange discovered that libvirt incorrectly handled validating
SSL/TLS certificates. A remote attacker could possibly use this issue to
obtain sensitive information. This issue only affected Ubuntu 17.10.
(CVE-2017-1000256)
Daniel P. Berrange and Peter Krempa discovered that libvirt incorrectly
handled large QEMU replies. An attacker could possibly use this issue to
cause libvirt to crash, resulting in a denial of service. (CVE-2018-5748)
Pedro Sampaio discovered that libvirt incorrectly handled the libnss_dns.so
module. An attacker in a libvirt_lxc session could possibly use this issue
to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and
Ubuntu 17.10. (CVE-2018-6764)
Update instructions
The problem can be corrected by updating your system to the following package version:
Ubuntu 17.10:
libvirt0 3.6.0-1ubuntu6.3
libvirt-bin 3.6.0-1ubuntu6.3
Ubuntu 16.04 LTS:
libvirt0 1.3.1-1ubuntu10.19
libvirt-bin 1.3.1-1ubuntu10.19
Ubuntu 14.04 LTS:
libvirt0 1.2.2-0ubuntu13.1.26
libvirt-bin 1.2.2-0ubuntu13.1.26
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
References
CVE-2016-5008, CVE-2017-1000256, CVE-2018-5748, CVE-2018-6764
Continue reading...