Mirantis OpenStack

Outdated (vulnerable) libvirt package in MOS 6.0

Bug #1534262 reported by Adam Heczko on 2016-01-14

276

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Fix Released	High	Denis Meltsaykin	Mirantis OpenStack 6.0-mu-8
5.1.x	Won't Fix	High	Denis Meltsaykin	Mirantis OpenStack 5.1.1-updates
6.1.x	Fix Released	High	Denis Meltsaykin	Mirantis OpenStack 6.1-mu-5
7.0.x	Fix Released	High	MOS Linux	Mirantis OpenStack 7.0-mu-3

Bug Description

Problem description:
It was reported that Libvirt package shipping with MOS 6.0 is outdated.
More recent MOS versions are also affected by libvirt issue.

Solution proposal:
Merge libvirt security fix from upstream (CentOS, Ubuntu).

Upstream bug reports:
http://www.ubuntu.com/usn/usn-2867-1/
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5313

Related Zendesk ticket:
https://mirantis.zendesk.com/agent/tickets/10039

See original description

Tags:

CVE References

Adam Heczko (aheczko-mirantis) on 2016-01-14

Changed in mos:
milestone:	none → 6.0-mu-8
tags:	added: customer-found
Changed in mos:
importance:	Undecided → High
assignee:	nobody → MOS Maintenance (mos-maintenance)
description:	updated

Denis Meltsaykin (dmeltsaykin) on 2016-01-28

Changed in mos:
status:	New → Confirmed

Revision history for this message

Denis Meltsaykin (dmeltsaykin) wrote on 2016-02-02:

For 5.1.1 & 6.0 Ubuntu-only we can do the backport from trusty. It has the 1.2.2 libvirt with latest patches. But for CentOS is everything not so easy. We have libvirt 1.2.5, and it looks like it is unsupported everywhere. We'll have to backport some new libvirt from Fedora, but it'll take a lot of time with testing.

Revision history for this message

Denis Meltsaykin (dmeltsaykin) wrote on 2016-02-03:

Fixes for 6.0 are reviewed: https://review.fuel-infra.org/#/q/topic:bug/1534262

Changed in mos:
status:	Confirmed → In Progress
assignee:	MOS Maintenance (mos-maintenance) → Denis Meltsaykin (dmeltsaykin)

Vitaly Sedelnik (vsedelnik) on 2016-02-10

Changed in mos:
status:	In Progress → Fix Committed

Vitaly Sedelnik (vsedelnik) on 2016-03-01

information type:

Private Security → Public Security

Vitaly Sedelnik (vsedelnik) on 2016-03-01

Changed in mos:
status:	Fix Committed → Fix Released

Ekaterina Shutova (eshutova) on 2016-03-14

tags:

added: on-verification

Revision history for this message

Ekaterina Shutova (eshutova) wrote on 2016-03-14:

Verified on 6.1 mu5.
Centos.
Package libvirt-1.2.5-1.mira3.x86_64.rpm uploaded.

tags:

removed: on-verification

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-03-24: Fix merged to packages/trusty/libvirt (7.0)

Reviewed: https://review.fuel-infra.org/18442
Submitter: Vitaly Sedelnik <email address hidden>
Branch: 7.0

Commit: f30ddbac01360e0df24ab9611edd0bd5c24f6801
Author: Dmitry Teselkin <email address hidden>
Date: Thu Mar 24 13:26:06 2016

USN-2867-1: libvirt vulnerabilities

Fix CVEs mentioned in http://www.ubuntu.com/usn/usn-2867-1/
* CVE-2011-4600 - already applied
* CVE-2014-8136 - already applied
* CVE-2015-0236 - already applied
* CVE-2015-5247 - not affected
* CVE-2015-5313 - apply

Closes-Bug: #1534262

Change-Id: Ia52ae05b0c57a0f7f9f3e08bdaea42793e550731

Ekaterina Shutova (eshutova) on 2016-03-30

tags:

added: on-verification

Revision history for this message

Ekaterina Shutova (eshutova) wrote on 2016-04-01:

Verified on MOS 7.0 + mu3 updates.

tags:

removed: on-verification

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-08: Fix proposed to packages/centos6/libvirt (5.1.1-updates)

Fix proposed to branch: 5.1.1-updates
Change author: Denis V. Meltsaykin <email address hidden>
Review: https://review.fuel-infra.org/19432

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-08: Fix proposed to packages/precise/libvirt (5.1.1-updates)

Fix proposed to branch: 5.1.1-updates
Change author: Denis V. Meltsaykin <email address hidden>
Review: https://review.fuel-infra.org/19436

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2017-04-11: Change abandoned on packages/centos6/libvirt (5.1.1-updates)

Change abandoned by Denis V. Meltsaykin <email address hidden> on branch: 5.1.1-updates
Review: https://review.fuel-infra.org/19432

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2017-04-11: Change abandoned on packages/precise/libvirt (5.1.1-updates)

Change abandoned by Denis V. Meltsaykin <email address hidden> on branch: 5.1.1-updates
Review: https://review.fuel-infra.org/19436

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.