Hi Salvatore, On Wed, Feb 07, 2018 at 07:15:50PM +0100, Salvatore Bonaccorso wrote: > Source: libvirt > Version: 4.0.0-1 > Severity: important > Tags: patch security upstream > > Hi Guido, > > the following vulnerability was published for libvirt. > > CVE-2018-6764[0]: > |guest could inject executable code via libnss_dns.so loaded by > |libvirt_lxc before init > > Commit is at [1]. I see the 1ce929603ba8ebc3b0dc4ff39df9619c87723f42 > commit upstream introduced the inclusion of hostname in the initial > log message. But the hostname getting is already present before that > commit, can you pin point which is the arliest version including the > issue?
At least 1.3.1 onward are affected (but I think that's it). Given the little use of libvirt-lxc and the fact that you need apparmor/selinux for a safe container anyway fixing this via a point release will be enough. Cheers, -- Guido
