| Description: | The libvirt library is a C API for managing and interacting with thevirtualization capabilities of Linux and other operating systems.In addition, libvirt provides tools for remote management ofvirtualized systems.An out-of-bounds read flaw was found in the way libvirt'sqemuDomainGetBlockIoTune() function looked up the disk index in anon-persistent (live) disk configuration while a persistent diskconfiguration was being indexed. A remote attacker able to establish aread-only connection to libvirtd could use this flaw to crash libvirtd or,potentially, leak memory from the libvirtd process. (CVE-2014-3633)A denial of service flaw was found in the way libvirt'svirConnectListAllDomains() function computed the number of used domains.A remote attacker able to establish a read-only connection to libvirtdcould use this flaw to make any domain operations within libvirtunresponsive. (CVE-2014-3657)It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, theQEMU driver implementation of the virDomainGetXMLDesc() function couldbypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remoteattacker able to establish a read-only connection to libvirtd could usethis flaw to leak certain limited information from the domain XML data.(CVE-2014-7823)The CVE-2014-3633 issue was discovered by Luyao Huang of Red Hat.This update also fixes the following bug:When dumping migratable XML configuration of a domain, libvirt removes someautomatically added devices for compatibility with older libvirt releases.If such XML is passed to libvirt as a domain XML that should be used duringmigration, libvirt checks this XML for compatibility with the internallystored configuration of the domain. However, prior to this update, thesechecks failed because of devices that were missing (the same deviceslibvirt removed). As a consequence, migration with user-supplied migratableXML failed. Since this feature is used by OpenStack, migrating QEMU/KVMdomains with OpenStack always failed. With this update, before checkingdomain configurations for compatibility, libvirt transforms bothuser-supplied and internal configuration into a migratable form(automatically added devices are removed) and checks those instead. Thus,no matter whether the user-supplied configuration was generated asmigratable or not, libvirt does not err about missing devices, andmigration succeeds as expected. (BZ#1155564)All libvirt users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. After installing theupdated packages, libvirtd will be restarted automatically. |