==========================================================================
Ubuntu Security Notice USN-2366-1
September 30, 2014

libvirt vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 14.04 LTS
– Ubuntu 12.04 LTS
– Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in libvirt.

Software Description:
– libvirt: Libvirt virtualization toolkit

Details:

Daniel P. Berrange and Richard Jones discovered that libvirt incorrectly
handled XML documents containing XML external entity declarations. An
attacker could use this issue to cause libvirtd to crash, resulting in a
denial of service on all affected releases, or possibly read arbitrary
files if fine grained access control was enabled on Ubuntu 14.04 LTS.
(CVE-2014-0179, CVE-2014-5177)

Luyao Huang discovered that libvirt incorrectly handled certain blkiotune
queries. An attacker could use this issue to cause libvirtd to crash,
resulting in a denial of service. This issue only applied to Ubuntu 12.04
LTS and Ubuntu 14.04 LTS. (CVE-2014-3633)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
libvirt-bin 1.2.2-0ubuntu13.1.5
libvirt0 1.2.2-0ubuntu13.1.5

Ubuntu 12.04 LTS:
libvirt-bin 0.9.8-2ubuntu17.20
libvirt0 0.9.8-2ubuntu17.20

Ubuntu 10.04 LTS:
libvirt-bin 0.7.5-5ubuntu27.25
libvirt0 0.7.5-5ubuntu27.25

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2366-1
CVE-2014-0179, CVE-2014-3633, CVE-2014-5177

Package Information:
https://launchpad.net/ubuntu/+source/libvirt/1.2.2-0ubuntu13.1.5
https://launchpad.net/ubuntu/+source/libvirt/0.9.8-2ubuntu17.20
https://launchpad.net/ubuntu/+source/libvirt/0.7.5-5ubuntu27.25

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIcBAEBCgAGBQJUKvOBAAoJEGVp2FWnRL6TzAQQAI2mFm1lw/t4jBlDJgbT1+aO
f5bhDcKO5RrAmh/x2bm6gCnnUn76l50n3IS+i9iF4fmylIgbQ+aG3TmG4vfuV4WX
SIvO4DICTe0tZXoXh8cHwtZas53niDfCrZaHIOF3H2C9Gv18Fpx7mC9H3UckMIT+
mwvwt4LmrWQWUOifRes2/njvtjd7ByJcvf6x9kyzlZIP0MH5sHowsRUP1ALUH+vA
ZzzqBgZPzOQhE649y84HjTLhhdfFXx1wq8P7DT0g87B/a3n0yXe+ST6K2LQBZp3Z
jpwMyiz1DVcSjlbxC08gybhz63+ddc32tJOveDe6kIvdXI5s98dsJscLGmcSFXQL
7B3+1elDiN6FhPxtOVbeSf4MdWMv93IblKAZioVOzkiD6WI5WOZWX2R6ZIx9PVSI
HjFnNPAs0RZ9cfNpC94xyeOLAPZgwHN1NJdDpWyNbJ49ZPgx00NIHeRlO0YiY+3U
xLePIYoTdSgCKqMKN1DG/M1GS369n4WdAZdhHix0DjjihVbGXq37pkLg2duIEvAi
0VCTtL+vXccndrte5j1rpBJnSTXmfd9pp2tfw9MWli5aVue5yIY2LiW/fOfjPCjj
8JisUsfEoCJVUR0DQFwggI9XD8GdMsJ/sfxs1no5Gl9D2PDCmaVYSm2TR5IfjeM9
RV0twHASZ3s093/Bfgqs
=VOdC
—–END PGP SIGNATURE—–
—