Debian Package Tracker
Register | Log in
Subscribe

libvirt

Choose email to subscribe with

general
  • source: libvirt (main)
  • version: 8.3.0-1
  • maintainer: Debian Libvirt Maintainers (archive) (DMD)
  • uploaders: Guido Günther [DMD] – Andrea Bolognani [DMD] [DM]
  • arch: all any
  • std-ver: 4.6.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 3.0.0-4+deb9u4
  • o-o-sec: 3.0.0-4+deb9u5
  • oldstable: 5.0.0-4+deb10u1
  • stable: 7.0.0-3
  • stable-bpo: 8.0.0-1~bpo11+1
  • testing: 8.3.0-1
  • unstable: 8.3.0-1
versioned links
  • 3.0.0-4+deb9u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.0.0-4+deb9u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 5.0.0-4+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 7.0.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 8.0.0-1~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 8.3.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • libnss-libvirt (1 bugs: 0, 1, 0, 0)
  • libvirt-clients (12 bugs: 0, 8, 4, 0)
  • libvirt-daemon (49 bugs: 0, 41, 8, 0)
  • libvirt-daemon-config-network
  • libvirt-daemon-config-nwfilter
  • libvirt-daemon-driver-lxc
  • libvirt-daemon-driver-qemu (1 bugs: 0, 1, 0, 0)
  • libvirt-daemon-driver-storage-gluster
  • libvirt-daemon-driver-storage-iscsi-direct (1 bugs: 0, 1, 0, 0)
  • libvirt-daemon-driver-storage-rbd
  • libvirt-daemon-driver-storage-zfs
  • libvirt-daemon-driver-vbox
  • libvirt-daemon-driver-xen
  • libvirt-daemon-system (34 bugs: 0, 26, 8, 0)
  • libvirt-daemon-system-systemd
  • libvirt-daemon-system-sysv
  • libvirt-dev
  • libvirt-doc
  • libvirt-login-shell
  • libvirt-sanlock
  • libvirt-wireshark
  • libvirt0 (13 bugs: 0, 13, 0, 0)
action needed
A new upstream version is available: 8.4.0~rc1 high
A new upstream version 8.4.0~rc1 is available, you should consider packaging it.
Created: 2022-05-28 Last update: 2022-05-28 09:02
lintian reports 4 errors and 21 warnings high
Lintian reports 4 errors and 21 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2021-09-06 Last update: 2022-01-01 04:33
10 bugs tagged patch in the BTS normal
The BTS contains patches fixing 10 bugs, consider including or untagging them.
Created: 2021-08-14 Last update: 2022-05-28 13:31
Does not build reproducibly during testing normal
A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!
Created: 2019-11-17 Last update: 2022-05-28 09:03
Build log checks report 1 warning low
Build log checks report 1 warning
Created: 2022-05-23 Last update: 2022-05-23 01:05
9 low-priority security issues in buster low

There are 9 open security issues in buster.

9 issues left for the package maintainer to handle:
  • CVE-2021-3631: (needs triaging) A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out of sVirt confinement. The highest threat from this vulnerability is to confidentiality and integrity.
  • CVE-2021-3667: (needs triaging) An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
  • CVE-2021-3975: (needs triaging)
  • CVE-2021-4147: (needs triaging) A flaw was found in the libvirt libxl driver. A malicious guest could continuously reboot itself and cause libvirtd on the host to deadlock or crash, resulting in a denial of service condition.
  • CVE-2022-0897: (needs triaging) A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to acquire the `driver->nwfilters` mutex before iterating over virNWFilterObj instances. There was no protection to stop another thread from concurrently modifying the `driver->nwfilters` object. This flaw allows a malicious, unprivileged user to exploit this issue via libvirt’s API virConnectNumOfNWFilters to crash the network filter management daemon (libvirtd/virtnwfilterd).
  • CVE-2019-20485: (needs triaging) qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a monitor job during a query to a guest agent, which allows attackers to cause a denial of service (API blockage).
  • CVE-2020-10703: (needs triaging) A NULL pointer dereference was found in the libvirt API responsible introduced in upstream version 3.10.0, and fixed in libvirt 6.0.0, for fetching a storage pool based on its target path. In more detail, this flaw affects storage pools created without a target path such as network-based pools like gluster and RBD. Unprivileged users with a read-only connection could abuse this flaw to crash the libvirt daemon, resulting in a potential denial of service.
  • CVE-2020-12430: (needs triaging) An issue was discovered in qemuDomainGetStatsIOThread in qemu/qemu_driver.c in libvirt 4.10.0 though 6.x before 6.1.0. A memory leak was found in the virDomainListGetStats libvirt API that is responsible for retrieving domain statistics when managing QEMU guests. This flaw allows unprivileged users with a read-only connection to cause a memory leak in the domstats command, resulting in a potential denial of service.
  • CVE-2020-25637: (needs triaging) A double free memory issue was found to occur in the libvirt API, in versions before 6.8.0, responsible for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit access control driver. Specifically, clients connecting to the read-write socket with limited ACL permissions could use this flaw to crash the libvirt daemon, resulting in a denial of service, or potentially escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2022-05-22 07:30
5 low-priority security issues in bullseye low

There are 5 open security issues in bullseye.

5 issues left for the package maintainer to handle:
  • CVE-2021-3631: (needs triaging) A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out of sVirt confinement. The highest threat from this vulnerability is to confidentiality and integrity.
  • CVE-2021-3667: (needs triaging) An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
  • CVE-2021-3975: (needs triaging)
  • CVE-2021-4147: (needs triaging) A flaw was found in the libvirt libxl driver. A malicious guest could continuously reboot itself and cause libvirtd on the host to deadlock or crash, resulting in a denial of service condition.
  • CVE-2022-0897: (needs triaging) A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to acquire the `driver->nwfilters` mutex before iterating over virNWFilterObj instances. There was no protection to stop another thread from concurrently modifying the `driver->nwfilters` object. This flaw allows a malicious, unprivileged user to exploit this issue via libvirt’s API virConnectNumOfNWFilters to crash the network filter management daemon (libvirtd/virtnwfilterd).

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-08-14 Last update: 2022-05-22 07:30
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.6.0).
Created: 2022-05-11 Last update: 2022-05-20 19:41
news
[rss feed]
  • [2022-05-22] libvirt 8.3.0-1 MIGRATED to testing (Debian testing watch)
  • [2022-05-20] Accepted libvirt 8.3.0-1 (source) into unstable (Andrea Bolognani)
  • [2022-04-25] libvirt 8.2.0-1 MIGRATED to testing (Debian testing watch)
  • [2022-04-20] Accepted libvirt 8.2.0-1 (source) into unstable (Andrea Bolognani)
  • [2022-04-20] libvirt 8.1.0-2 MIGRATED to testing (Debian testing watch)
  • [2022-03-19] Accepted libvirt 8.1.0-2 (source) into unstable (Andrea Bolognani)
  • [2022-03-16] Accepted libvirt 8.1.0-1 (source) into experimental (Andrea Bolognani)
  • [2022-02-01] Accepted libvirt 8.0.0-1~bpo11+1 (source amd64 all) into bullseye-backports, bullseye-backports (Debian FTP Masters) (signed by: Michael Tokarev)
  • [2022-01-25] libvirt 8.0.0-1 MIGRATED to testing (Debian testing watch)
  • [2022-01-22] Accepted libvirt 8.0.0-1 (source) into unstable (Andrea Bolognani)
  • [2022-01-14] libvirt 7.10.0-3 MIGRATED to testing (Debian testing watch)
  • [2022-01-09] Accepted libvirt 7.10.0-3 (source) into unstable (Andrea Bolognani)
  • [2021-12-29] Accepted libvirt 7.10.0-2 (source) into unstable (Andrea Bolognani)
  • [2021-12-11] libvirt 7.10.0-1 MIGRATED to testing (Debian testing watch)
  • [2021-12-09] Accepted libvirt 7.10.0-1 (source) into unstable (Andrea Bolognani)
  • [2021-12-09] libvirt 7.9.0-1 MIGRATED to testing (Debian testing watch)
  • [2021-12-06] Accepted libvirt 7.9.0-1 (source) into unstable (Andrea Bolognani)
  • [2021-08-28] libvirt 7.6.0-1 MIGRATED to testing (Debian testing watch)
  • [2021-08-20] Accepted libvirt 7.6.0-1 (source) into unstable (Andrea Bolognani)
  • [2021-03-09] libvirt 7.0.0-3 MIGRATED to testing (Debian testing watch)
  • [2021-02-26] Accepted libvirt 7.0.0-3 (source) into unstable (Andrea Bolognani)
  • [2021-02-21] libvirt 7.0.0-2 MIGRATED to testing (Debian testing watch)
  • [2021-02-10] Accepted libvirt 7.0.0-2 (source) into unstable (Andrea Bolognani)
  • [2021-02-01] libvirt 7.0.0-1 MIGRATED to testing (Debian testing watch)
  • [2021-01-28] Accepted libvirt 7.0.0-1 (source) into unstable (Andrea Bolognani)
  • [2021-01-25] libvirt 6.9.0-4 MIGRATED to testing (Debian testing watch)
  • [2021-01-22] Accepted libvirt 6.9.0-4 (source) into unstable (Andrea Bolognani)
  • [2021-01-20] Accepted libvirt 6.9.0-3 (source) into unstable (Andrea Bolognani)
  • [2021-01-18] Accepted libvirt 6.9.0-2 (source amd64 all) into experimental, experimental (Debian FTP Masters) (signed by: Guido Günther)
  • [2020-11-18] libvirt 6.9.0-1 MIGRATED to testing (Debian testing watch)
  • 1
  • 2
bugs [bug history graph]
  • all: 189 192
  • RC: 0
  • I&N: 139 142
  • M&W: 49
  • F&P: 1
  • patch: 10
links
  • homepage
  • lintian (4, 21)
  • buildd: logs, checks, clang, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • l10n (100, 30)
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 8.0.0-1ubuntu8
  • 121 bugs (4 patches)
  • patches for 8.0.0-1ubuntu8

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing