Oracle Linux Local Security Checks : Oracle: Security Advisory (ELSA-2013-0276)

Vulnerability Search		Search 324607 CVE descriptions and 146377 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.123692

Category: Oracle Linux Local Security Checks

Title: Oracle: Security Advisory (ELSA-2013-0276)

Summary: The remote host is missing an update for the 'libvirt' package(s) announced via the ELSA-2013-0276 advisory.

Description: Summary:
The remote host is missing an update for the 'libvirt' package(s) announced via the ELSA-2013-0276 advisory.

Vulnerability Insight:
[libvirt-0.10.2-18.0.1.el6]
- Replace docs/et.png in tarball with blank image

[0.10.2-18]
- rpc: Fix crash on error paths of message dispatching (CVE-2013-0170)
- spec: Disable libssh2 support (rhbz#513363)

[0.10.2-17]
- storage: Fix lvcreate parameter for backingStore. (rhbz#896398)
- qemu: Don't return success if creation of snapshot save file fails (rhbz#896403)
- qemu: Reject attempts to create snapshots with names containing '/' (rhbz#896403)

[0.10.2-16]
- qemu_agent: Remove agent reference only when disposing it (rhbz#892079)
- Add RESUME event listener to qemu monitor. (rhbz#894085)

[0.10.2-15]
- snapshot: conf: Make virDomainSnapshotIsExternal more reusable (rhbz#889407)
- snapshot: qemu: Separate logic blocks with newlines (rhbz#889407)
- snapshot: qemu: Fix segfault and vanishing snapshots when redefining (rhbz#889407)
- snapshot: qemu: Allow redefinition of external snapshots (rhbz#889407)
- util: Prepare helpers for unpriv_sgio setting (rhbz#878578)
- qemu: Add a hash table for the shared disks (rhbz#878578)
- docs: Add docs and rng schema for new XML tag sgio (rhbz#878578)
- conf: Parse and format the new XML (rhbz#878578)
- qemu: Set unpriv_sgio when starting domain and attaching disk (rhbz#878578)
- qemu: Check if the shared disk's cdbfilter conflicts with others (rhbz#878578)
- qemu: Relax hard RSS limit (rhbz#891653)

[0.10.2-14]
- util: Add missing error log messages when failing to get netlink VFINFO (rhbz#889319)
- util: Fix functions that retrieve SRIOV VF info (rhbz#889319)
- util: Fix botched check for new netlink request filters (rhbz#889319)
- blockjob: Fix memleak that prevented block pivot (rhbz#888426)
- sanlock: Chown lease files as well (rhbz#820173)

[0.10.2-13]
- network: Prevent dnsmasq from listening on localhost (rhbz#886821)
- sanlock: Re-add lockspace unconditionally (rhbz#820173)
- Fix 'virsh create' example (rhbz#887187)
- docs: Fix some typos in examples (rhbz#887187)
- network: Don't require private addresses if dnsmasq uses SO_BINDTODEVICE (rhbz#882265)

[0.10.2-12]
- qemu: Eliminate bogus error log when changing netdev's bridge (rhbz#885838)
- remote: Avoid the thread race condition (rhbz#866524)
- storage: Error out earlier if the volume target path already exists (rhbz#832302)
- dnsmasq: Fix parsing of the version number (rhbz#885727)
- qemu: Restart CPUs with valid async job type when doing external snapshots (rhbz#885081)
- examples: Fix balloon event callback (rhbz#884650)
- util: Don't fail virGetGroupIDByName when group not found (rhbz#883832)
- util: Don't fail virGetUserIDByName when user not found (rhbz#883832)
- util: Rework error reporting in virGet(UserGroup)IDByName (rhbz#883832)
- util: Fix warning message in previous patch (rhbz#883832)

[0.10.2-11]
- Fix uninitialized variable in virLXCControllerSetupDevPTS (rhbz#880064)
- storage: Fix device detach regression with cgroup ACLs (rhbz#876828)
- storage: ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'libvirt' package(s) on Oracle Linux 6.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2012-3411
54353
http://www.securityfocus.com/bid/54353
MDVSA-2013:072
http://www.mandriva.com/security/advisories?name=MDVSA-2013:072
RHSA-2013:0276
http://rhn.redhat.com/errata/RHSA-2013-0276.html
RHSA-2013:0277
http://rhn.redhat.com/errata/RHSA-2013-0277.html
RHSA-2013:0579
http://rhn.redhat.com/errata/RHSA-2013-0579.html
[oss-security] 20120712 Re: Re: CVE Request -- dnsmasq: When being run by libvirt open DNS proxy (reachable out-of the virtual network set for the particular guest domain too) is created
http://www.openwall.com/lists/oss-security/2012/07/12/5
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683372
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commitdiff%3Bh=2f38141f434e23292f84cefc33e8de76fb856147
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commitdiff%3Bh=54dd393f3938fc0c19088fbd319b95e37d81a2b0
http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
https://bugzilla.redhat.com/show_bug.cgi?id=833033

Copyright Copyright (C) 2015 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.123692
Category:	Oracle Linux Local Security Checks
Title:	Oracle: Security Advisory (ELSA-2013-0276)
Summary:	The remote host is missing an update for the 'libvirt' package(s) announced via the ELSA-2013-0276 advisory.
Description:	Summary: The remote host is missing an update for the 'libvirt' package(s) announced via the ELSA-2013-0276 advisory. Vulnerability Insight: [libvirt-0.10.2-18.0.1.el6] - Replace docs/et.png in tarball with blank image [0.10.2-18] - rpc: Fix crash on error paths of message dispatching (CVE-2013-0170) - spec: Disable libssh2 support (rhbz#513363) [0.10.2-17] - storage: Fix lvcreate parameter for backingStore. (rhbz#896398) - qemu: Don't return success if creation of snapshot save file fails (rhbz#896403) - qemu: Reject attempts to create snapshots with names containing '/' (rhbz#896403) [0.10.2-16] - qemu_agent: Remove agent reference only when disposing it (rhbz#892079) - Add RESUME event listener to qemu monitor. (rhbz#894085) [0.10.2-15] - snapshot: conf: Make virDomainSnapshotIsExternal more reusable (rhbz#889407) - snapshot: qemu: Separate logic blocks with newlines (rhbz#889407) - snapshot: qemu: Fix segfault and vanishing snapshots when redefining (rhbz#889407) - snapshot: qemu: Allow redefinition of external snapshots (rhbz#889407) - util: Prepare helpers for unpriv_sgio setting (rhbz#878578) - qemu: Add a hash table for the shared disks (rhbz#878578) - docs: Add docs and rng schema for new XML tag sgio (rhbz#878578) - conf: Parse and format the new XML (rhbz#878578) - qemu: Set unpriv_sgio when starting domain and attaching disk (rhbz#878578) - qemu: Check if the shared disk's cdbfilter conflicts with others (rhbz#878578) - qemu: Relax hard RSS limit (rhbz#891653) [0.10.2-14] - util: Add missing error log messages when failing to get netlink VFINFO (rhbz#889319) - util: Fix functions that retrieve SRIOV VF info (rhbz#889319) - util: Fix botched check for new netlink request filters (rhbz#889319) - blockjob: Fix memleak that prevented block pivot (rhbz#888426) - sanlock: Chown lease files as well (rhbz#820173) [0.10.2-13] - network: Prevent dnsmasq from listening on localhost (rhbz#886821) - sanlock: Re-add lockspace unconditionally (rhbz#820173) - Fix 'virsh create' example (rhbz#887187) - docs: Fix some typos in examples (rhbz#887187) - network: Don't require private addresses if dnsmasq uses SO_BINDTODEVICE (rhbz#882265) [0.10.2-12] - qemu: Eliminate bogus error log when changing netdev's bridge (rhbz#885838) - remote: Avoid the thread race condition (rhbz#866524) - storage: Error out earlier if the volume target path already exists (rhbz#832302) - dnsmasq: Fix parsing of the version number (rhbz#885727) - qemu: Restart CPUs with valid async job type when doing external snapshots (rhbz#885081) - examples: Fix balloon event callback (rhbz#884650) - util: Don't fail virGetGroupIDByName when group not found (rhbz#883832) - util: Don't fail virGetUserIDByName when user not found (rhbz#883832) - util: Rework error reporting in virGet(UserGroup)IDByName (rhbz#883832) - util: Fix warning message in previous patch (rhbz#883832) [0.10.2-11] - Fix uninitialized variable in virLXCControllerSetupDevPTS (rhbz#880064) - storage: Fix device detach regression with cgroup ACLs (rhbz#876828) - storage: ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'libvirt' package(s) on Oracle Linux 6. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2012-3411 54353 http://www.securityfocus.com/bid/54353 MDVSA-2013:072 http://www.mandriva.com/security/advisories?name=MDVSA-2013:072 RHSA-2013:0276 http://rhn.redhat.com/errata/RHSA-2013-0276.html RHSA-2013:0277 http://rhn.redhat.com/errata/RHSA-2013-0277.html RHSA-2013:0579 http://rhn.redhat.com/errata/RHSA-2013-0579.html [oss-security] 20120712 Re: Re: CVE Request -- dnsmasq: When being run by libvirt open DNS proxy (reachable out-of the virtual network set for the particular guest domain too) is created http://www.openwall.com/lists/oss-security/2012/07/12/5 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683372 http://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commitdiff%3Bh=2f38141f434e23292f84cefc33e8de76fb856147 http://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commitdiff%3Bh=54dd393f3938fc0c19088fbd319b95e37d81a2b0 http://www.thekelleys.org.uk/dnsmasq/CHANGELOG https://bugzilla.redhat.com/show_bug.cgi?id=833033
Copyright	Copyright (C) 2015 Greenbone AG