Source: libvirt Version: 4.0.0-1 Severity: important Tags: patch security upstream
Hi Guido, the following vulnerability was published for libvirt. CVE-2018-6764[0]: |guest could inject executable code via libnss_dns.so loaded by |libvirt_lxc before init Commit is at [1]. I see the 1ce929603ba8ebc3b0dc4ff39df9619c87723f42 commit upstream introduced the inclusion of hostname in the initial log message. But the hostname getting is already present before that commit, can you pin point which is the arliest version including the issue? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-6764 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6764 [1] https://libvirt.org/git/?p=libvirt.git;a=commit;h=759b4d1b0fe5f4d84d98b99153dfa7ac289dd167 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
