From: Peter Krempa <pkrempa@redhat.com>
Date: Tue, 27 Jul 2021 12:36:30 +0000 (+0200)
Subject: NEWS: Mention security bug in storage pool object lookup (CVE-2021-3667)
X-Git-Tag: v7.6.0-rc2~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f379aabc74b86d5664fe94f060a01300b51a60c0;p=thirdparty%2Flibvirt.git

NEWS: Mention security bug in storage pool object lookup (CVE-2021-3667)

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
---

diff --git a/NEWS.rst b/NEWS.rst
index 37f3c48d88..d791b34efb 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -11,6 +11,15 @@ For a more fine-grained view, use the `git log`_.
 v7.6.0 (unreleased)
 ===================
 
+* **Security**
+
+  * storage: Unlock pool objects on ACL check failures in ``storagePoolLookupByTargetPath`` (CVE-2021-3667)
+
+    A logic bug in ``storagePoolLookupByTargetPath`` where the storage pool
+    object was left locked after a failure of the ACL check could potentially
+    deprive legitimate users access to a storage pool object by users who don't
+    have access.
+
 * **New features**
 
   * qemu: Incremental backup support via ``virDomainBackupBegin``