]> git.ipfire.org Git - thirdparty/libvirt.git/commitdiff
projects / thirdparty / libvirt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0e6dcc2)
news: Document recent CVE fix
authorMichal Privoznik <mprivozn@redhat.com>
Mon, 27 Jul 2020 07:53:24 +0000 (09:53 +0200)
committerMichal Privoznik <mprivozn@redhat.com>
Mon, 27 Jul 2020 10:35:20 +0000 (12:35 +0200)
Document the fix of leaking /dev/mapper/control to QEMU (fixed in
v6.6.0-rc1-3-g2249455654).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
NEWS.rst patch | blob | blame | history

diff --git a/NEWS.rst b/NEWS.rst
index ff977968c7148a79460656a0e67f806d527af64a..8b53d21b8ab36cbc1ec6e262ea1f271aee14a7cc 100644 (file)
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -33,6 +33,13 @@ v6.6.0 (unreleased)
 
 * **Bug fixes**
 
+  * virdevmapper: Don't use libdevmapper to obtain dependencies
+
+    When building domain's private ``/dev`` in a namespace, libdevmapper was
+    consulted for getting full dependency tree of domain's disks. However, this
+    meant that libdevmapper opened ``/dev/mapper/control`` which wasn't closed
+    and was leaked to QEMU. CVE-2020-14339
+
 
 v6.5.0 (2020-07-03)
 ===================
Mirror of https://github.com/libvirt/libvirt.git