Hi Guido On Thu, Feb 08, 2018 at 07:28:17PM +0100, Guido Günther wrote: > Hi Salvatore, > On Wed, Feb 07, 2018 at 07:15:50PM +0100, Salvatore Bonaccorso wrote: > > Source: libvirt > > Version: 4.0.0-1 > > Severity: important > > Tags: patch security upstream > > > > Hi Guido, > > > > the following vulnerability was published for libvirt. > > > > CVE-2018-6764[0]: > > |guest could inject executable code via libnss_dns.so loaded by > > |libvirt_lxc before init > > > > Commit is at [1]. I see the 1ce929603ba8ebc3b0dc4ff39df9619c87723f42 > > commit upstream introduced the inclusion of hostname in the initial > > log message. But the hostname getting is already present before that > > commit, can you pin point which is the arliest version including the > > issue? > > At least 1.3.1 onward are affected (but I think that's it). Given the > little use of libvirt-lxc and the fact that you need apparmor/selinux > for a safe container anyway fixing this via a point release will be
Alright, I marked it no-dsa. To be on 'safe side" I marked as well no-dsa the jessie Version. I prefer until proven against that the issue is not present in jessie, to have it marked "affected". We can correct it if it turns out the hostname gettings there are really not a problem. Thanks a lot for your great work! Salvatore
