Changeset
notices/2018/0001.xml             | 276 ++++++++++++++++++++++++++++++++++++++
notices/2018/0002.xml             | 274 +++++++++++++++++++++++++++++++++++++
notices/2018/0003.xml             | 269 +++++++++++++++++++++++++++++++++++++
scripts/report-vulnerable-tags.pl | 108 +++++++++++++++
4 files changed, 927 insertions(+)
create mode 100644 notices/2018/0001.xml
create mode 100644 notices/2018/0002.xml
create mode 100644 notices/2018/0003.xml
create mode 100644 scripts/report-vulnerable-tags.pl
Git apply log
Switched to a new branch '20180313172737.24214-1-berrange@redhat.com'
Applying: LSN-2018-0001 / CVE-2017-5715 - Spectre variant 2 branch target injection
Applying: LSN-2018-0002 / CVE-2018-5748 - QEMU monitor denial of service
Applying: LSN-2018-0003 / CVE-2018-6764 - Insecure usage of NSS modules during container startup
Applying: Add a script for generating a list of vulnerable tags & branches
To https://github.com/patchew-project/libvirt
 * [new tag]         patchew/20180313172737.24214-1-berrange@redhat.com -> patchew/20180313172737.24214-1-berrange@redhat.com
Test failed: syntax-check

loading

[libvirt] [PATCH security-notice 0/4] Add missing security notices
Posted by Daniel P. Berrangé, 14 weeks ago
This provides the security notices we've had so far in 2018 and a
script to make future ones easier to create.

Daniel P. Berrangé (4):
  LSN-2018-0001 / CVE-2017-5715 - Spectre variant 2 branch target
    injection
  LSN-2018-0002 / CVE-2018-5748 - QEMU monitor denial of service
  LSN-2018-0003 / CVE-2018-6764 - Insecure usage of NSS modules during
    container startup
  Add a script for generating a list of vulnerable tags & branches

 notices/2018/0001.xml             | 276 ++++++++++++++++++++++++++++++++++++++
 notices/2018/0002.xml             | 274 +++++++++++++++++++++++++++++++++++++
 notices/2018/0003.xml             | 269 +++++++++++++++++++++++++++++++++++++
 scripts/report-vulnerable-tags.pl | 108 +++++++++++++++
 4 files changed, 927 insertions(+)
 create mode 100644 notices/2018/0001.xml
 create mode 100644 notices/2018/0002.xml
 create mode 100644 notices/2018/0003.xml
 create mode 100644 scripts/report-vulnerable-tags.pl

-- 
2.14.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH security-notice 1/4] LSN-2018-0001 / CVE-2017-5715 - Spectre variant 2 branch target injection
Posted by Daniel P. Berrangé, 14 weeks ago
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 notices/2018/0001.xml | 276 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 276 insertions(+)
 create mode 100644 notices/2018/0001.xml

diff --git a/notices/2018/0001.xml b/notices/2018/0001.xml
new file mode 100644
index 0000000..9acb303
--- /dev/null
+++ b/notices/2018/0001.xml
@@ -0,0 +1,276 @@
+<security-notice xmlns="http://security.libvirt.org/xmlns/security-notice/1.0">
+  <id>2018-0001</id>
+
+  <summary>Spectre variant 2 branch target injection</summary>
+
+  <description>
+    <![CDATA[This is not a vulnerability in libvirt, rather it is
+	     a set of changes in libvirt to enable mitigation of
+	     the Spectre hardware flaws by providing extra CPU
+	     models with the "spec-ctrl" feature . Refer to https://spectreattack.com/
+	     for further backend information.]]>
+  </description>
+
+  <credits>
+    <reporter>
+      <name>Paolo Bonzini</name>
+      <email>pbonzini@redhat.com</email>
+    </reporter>
+    <patcher>
+      <name>Paolo Bonzini</name>
+      <email>pbonzini@redhat.com</email>
+    </patcher>
+    <patcher>
+      <name>Jiri Denemark</name>
+      <email>jdenemar@redhat.com</email>
+    </patcher>
+  </credits>
+
+  <lifecycle>
+    <reported>20171212</reported>
+    <published>20180105</published>
+    <fixed>20180118</fixed>
+  </lifecycle>
+
+  <reference>
+    <advisory type="CVE" id="2017-5715"/>
+  </reference>
+
+  <product name="libvirt">
+    <repository>libvirt.git</repository>
+    <branch>
+      <name>master</name>
+      <tag state="vulnerable">v0.2.0</tag>
+      <tag state="vulnerable">v0.2.1</tag>
+      <tag state="vulnerable">v0.2.2</tag>
+      <tag state="vulnerable">v0.2.3</tag>
+      <tag state="vulnerable">v0.3.0</tag>
+      <tag state="vulnerable">v0.3.1</tag>
+      <tag state="vulnerable">v0.3.2</tag>
+      <tag state="vulnerable">v0.3.3</tag>
+      <tag state="vulnerable">v0.4.1</tag>
+      <tag state="vulnerable">v0.4.2</tag>
+      <tag state="vulnerable">v0.4.4</tag>
+      <tag state="vulnerable">v0.4.6</tag>
+      <tag state="vulnerable">v0.5.0</tag>
+      <tag state="vulnerable">v0.5.1</tag>
+      <tag state="vulnerable">v0.6.0</tag>
+      <tag state="vulnerable">v0.6.1</tag>
+      <tag state="vulnerable">v0.6.2</tag>
+      <tag state="vulnerable">v0.6.3</tag>
+      <tag state="vulnerable">v0.6.4</tag>
+      <tag state="vulnerable">v0.6.5</tag>
+      <tag state="vulnerable">v0.7.0</tag>
+      <tag state="vulnerable">v0.7.1</tag>
+      <tag state="vulnerable">v0.7.2</tag>
+      <tag state="vulnerable">v0.7.3</tag>
+      <tag state="vulnerable">v0.7.4</tag>
+      <tag state="vulnerable">v0.7.5</tag>
+      <tag state="vulnerable">v0.7.6</tag>
+      <tag state="vulnerable">v0.7.7</tag>
+      <tag state="vulnerable">v0.8.0</tag>
+      <tag state="vulnerable">v0.8.1</tag>
+      <tag state="vulnerable">v0.8.2</tag>
+      <tag state="vulnerable">v0.8.3</tag>
+      <tag state="vulnerable">v0.8.4</tag>
+      <tag state="vulnerable">v0.8.5</tag>
+      <tag state="vulnerable">v0.8.6</tag>
+      <tag state="vulnerable">v0.8.7</tag>
+      <tag state="vulnerable">v0.8.8</tag>
+      <tag state="vulnerable">v0.9.0</tag>
+      <tag state="vulnerable">v0.9.1</tag>
+      <tag state="vulnerable">v0.9.2</tag>
+      <tag state="vulnerable">v0.9.3</tag>
+      <tag state="vulnerable">v0.9.4</tag>
+      <tag state="vulnerable">v0.9.5</tag>
+      <tag state="vulnerable">v0.9.6</tag>
+      <tag state="vulnerable">v0.9.7</tag>
+      <tag state="vulnerable">v0.9.8</tag>
+      <tag state="vulnerable">v0.9.9</tag>
+      <tag state="vulnerable">v0.9.10</tag>
+      <tag state="vulnerable">v0.9.11</tag>
+      <tag state="vulnerable">v0.9.12</tag>
+      <tag state="vulnerable">v0.9.13</tag>
+      <tag state="vulnerable">v0.10.0</tag>
+      <tag state="vulnerable">v0.10.1</tag>
+      <tag state="vulnerable">v0.10.2</tag>
+      <tag state="vulnerable">v1.0.0</tag>
+      <tag state="vulnerable">v1.0.1</tag>
+      <tag state="vulnerable">v1.0.2</tag>
+      <tag state="vulnerable">v1.0.3</tag>
+      <tag state="vulnerable">v1.0.4</tag>
+      <tag state="vulnerable">v1.0.5</tag>
+      <tag state="vulnerable">v1.0.6</tag>
+      <tag state="vulnerable">v1.1.0</tag>
+      <tag state="vulnerable">v1.1.1</tag>
+      <tag state="vulnerable">v1.1.2</tag>
+      <tag state="vulnerable">v1.1.3</tag>
+      <tag state="vulnerable">v1.1.4</tag>
+      <tag state="vulnerable">v1.2.0</tag>
+      <tag state="vulnerable">v1.2.1</tag>
+      <tag state="vulnerable">v1.2.2</tag>
+      <tag state="vulnerable">v1.2.3</tag>
+      <tag state="vulnerable">v1.2.4</tag>
+      <tag state="vulnerable">v1.2.5</tag>
+      <tag state="vulnerable">v1.2.6</tag>
+      <tag state="vulnerable">v1.2.7</tag>
+      <tag state="vulnerable">v1.2.8</tag>
+      <tag state="vulnerable">v1.2.9</tag>
+      <tag state="vulnerable">v1.2.10</tag>
+      <tag state="vulnerable">v1.2.11</tag>
+      <tag state="vulnerable">v1.2.12</tag>
+      <tag state="vulnerable">v1.2.13</tag>
+      <tag state="vulnerable">v1.2.14</tag>
+      <tag state="vulnerable">v1.2.15</tag>
+      <tag state="vulnerable">v1.2.16</tag>
+      <tag state="vulnerable">v1.2.17</tag>
+      <tag state="vulnerable">v1.2.18</tag>
+      <tag state="vulnerable">v1.2.19</tag>
+      <tag state="vulnerable">v1.2.20</tag>
+      <tag state="vulnerable">v1.2.21</tag>
+      <tag state="vulnerable">v1.3.0</tag>
+      <tag state="vulnerable">v1.3.1</tag>
+      <tag state="vulnerable">v1.3.2</tag>
+      <tag state="vulnerable">v1.3.3</tag>
+      <tag state="vulnerable">v1.3.4</tag>
+      <tag state="vulnerable">v1.3.5</tag>
+      <tag state="vulnerable">v2.0.0</tag>
+      <tag state="vulnerable">v2.1.0</tag>
+      <tag state="vulnerable">v2.2.0</tag>
+      <tag state="vulnerable">v2.3.0</tag>
+      <tag state="vulnerable">v2.4.0</tag>
+      <tag state="vulnerable">v2.5.0</tag>
+      <tag state="vulnerable">v3.0.0</tag>
+      <tag state="vulnerable">v3.1.0</tag>
+      <tag state="vulnerable">v3.2.0</tag>
+      <tag state="vulnerable">v3.3.0</tag>
+      <tag state="vulnerable">v3.4.0</tag>
+      <tag state="vulnerable">v3.5.0</tag>
+      <tag state="vulnerable">v3.6.0</tag>
+      <tag state="vulnerable">v3.7.0</tag>
+      <tag state="vulnerable">v3.8.0</tag>
+      <tag state="vulnerable">v3.9.0</tag>
+      <tag state="vulnerable">v3.10.0</tag>
+      <tag state="vulnerable">v4.0.0</tag>
+      <tag state="fixed">v4.1.0</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+      <change state="fixed">24d504396c3c05eff87d29173a224e2faaeb2637</change>
+      <change state="fixed">b2042020c32b74069fa5365b5e966537aaba8cf6</change>
+      <change state="fixed">7bb4ce9761dfbd1620ddffb26fbd6f0ff1fedf3f</change>
+      <change state="fixed">49bffcb3cc1850d332b9648c686a7be18de9e708</change>
+      <change state="fixed">7f83eefa9e6940c83579d31941efd07fab1b90c8</change>
+      <change state="fixed">7dd85ff62d7080b52d4d175f53ad5eb11cdcfb9c</change>
+      <change state="fixed">203c92e9cc2db854199b39ef3ffcc10406d3c59e</change>
+      <change state="fixed">30b381cfdd5e92e5afa6de09f0fe533353e71d07</change>
+      <change state="fixed">2e3b220a874e558e54678afd7cf49466fe605e09</change>
+      <change state="fixed">6b7e7d1cc24a28a9f5ece8626f807189647d14b4</change>
+      <change state="fixed">6d4a3cd42781babed7d29b061e220ebff24dd43e</change>
+    </branch>
+    <branch>
+      <name>v0.9.6-maint</name>
+      <tag state="vulnerable">v0.9.6.1</tag>
+      <tag state="vulnerable">v0.9.6.2</tag>
+      <tag state="vulnerable">v0.9.6.3</tag>
+      <tag state="vulnerable">v0.9.6.4</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v0.9.11-maint</name>
+      <tag state="vulnerable">v0.9.11.1</tag>
+      <tag state="vulnerable">v0.9.11.2</tag>
+      <tag state="vulnerable">v0.9.11.3</tag>
+      <tag state="vulnerable">v0.9.11.4</tag>
+      <tag state="vulnerable">v0.9.11.5</tag>
+      <tag state="vulnerable">v0.9.11.6</tag>
+      <tag state="vulnerable">v0.9.11.7</tag>
+      <tag state="vulnerable">v0.9.11.8</tag>
+      <tag state="vulnerable">v0.9.11.9</tag>
+      <tag state="vulnerable">v0.9.11.10</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v0.9.12-maint</name>
+      <tag state="vulnerable">v0.9.12.1</tag>
+      <tag state="vulnerable">v0.9.12.2</tag>
+      <tag state="vulnerable">v0.9.12.3</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v0.10.2-maint</name>
+      <tag state="vulnerable">v0.10.2.1</tag>
+      <tag state="vulnerable">v0.10.2.2</tag>
+      <tag state="vulnerable">v0.10.2.3</tag>
+      <tag state="vulnerable">v0.10.2.4</tag>
+      <tag state="vulnerable">v0.10.2.5</tag>
+      <tag state="vulnerable">v0.10.2.6</tag>
+      <tag state="vulnerable">v0.10.2.7</tag>
+      <tag state="vulnerable">v0.10.2.8</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v1.0.5-maint</name>
+      <tag state="vulnerable">v1.0.5.1</tag>
+      <tag state="vulnerable">v1.0.5.2</tag>
+      <tag state="vulnerable">v1.0.5.3</tag>
+      <tag state="vulnerable">v1.0.5.4</tag>
+      <tag state="vulnerable">v1.0.5.5</tag>
+      <tag state="vulnerable">v1.0.5.6</tag>
+      <tag state="vulnerable">v1.0.5.7</tag>
+      <tag state="vulnerable">v1.0.5.8</tag>
+      <tag state="vulnerable">v1.0.5.9</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v1.1.3-maint</name>
+      <tag state="vulnerable">v1.1.3.1</tag>
+      <tag state="vulnerable">v1.1.3.2</tag>
+      <tag state="vulnerable">v1.1.3.3</tag>
+      <tag state="vulnerable">v1.1.3.4</tag>
+      <tag state="vulnerable">v1.1.3.5</tag>
+      <tag state="vulnerable">v1.1.3.6</tag>
+      <tag state="vulnerable">v1.1.3.7</tag>
+      <tag state="vulnerable">v1.1.3.8</tag>
+      <tag state="vulnerable">v1.1.3.9</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v1.2.9-maint</name>
+      <tag state="vulnerable">v1.2.9.1</tag>
+      <tag state="vulnerable">v1.2.9.2</tag>
+      <tag state="vulnerable">v1.2.9.3</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v1.2.13-maint</name>
+      <tag state="vulnerable">v1.2.13.1</tag>
+      <tag state="vulnerable">v1.2.13.2</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v1.2.18-maint</name>
+      <tag state="vulnerable">v1.2.18.1</tag>
+      <tag state="vulnerable">v1.2.18.2</tag>
+      <tag state="vulnerable">v1.2.18.3</tag>
+      <tag state="vulnerable">v1.2.18.4</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v1.3.3-maint</name>
+      <tag state="vulnerable">v1.3.3.1</tag>
+      <tag state="vulnerable">v1.3.3.2</tag>
+      <tag state="vulnerable">v1.3.3.3</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v2.2-maint</name>
+      <tag state="vulnerable">v2.2.1</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v3.2-maint</name>
+      <tag state="vulnerable">v3.2.1</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+  </product>
+
+</security-notice>
-- 
2.14.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH security-notice 2/4] LSN-2018-0002 / CVE-2018-5748 - QEMU monitor denial of service
Posted by Daniel P. Berrangé, 14 weeks ago
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 notices/2018/0002.xml | 274 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 274 insertions(+)
 create mode 100644 notices/2018/0002.xml

diff --git a/notices/2018/0002.xml b/notices/2018/0002.xml
new file mode 100644
index 0000000..8b8e069
--- /dev/null
+++ b/notices/2018/0002.xml
@@ -0,0 +1,274 @@
+<security-notice xmlns="http://security.libvirt.org/xmlns/security-notice/1.0">
+  <id>2018-0002</id>
+
+  <summary>QEMU monitor denial of service</summary>
+
+  <description>
+    <![CDATA[The libvirt code that reads data from the QEMU monitor will read
+	     data until encountering a newline, buffering all data in memory
+	     with no upper limit applied.]]>
+  </description>
+
+  <impact>
+    <![CDATA[A malicious QEMU process can cause the libvirtd daemon to consume
+	     an arbitrary amount of memory by sending lots of data without any newline
+	     characters.]]>
+  </impact>
+
+  <workaround>
+    <![CDATA[There is no practical workaround to prevent this happening, though to
+	     exploit it a user would have to first break out of the guest into QEMU]]>
+  </workaround>
+
+  <credits>
+    <reporter>
+      <name>Peter Krempa</name>
+      <email>pkrempa@redhat.com</email>
+    </reporter>
+    <reporter>
+      <name>Daniel P. Berrangé</name>
+      <email>berrange@redhat.com</email>
+    </reporter>
+    <patcher>
+      <name>Daniel P. Berrangé</name>
+      <email>berrange@redhat.com</email>
+    </patcher>
+  </credits>
+
+  <lifecycle>
+    <reported>20171221</reported>
+    <published>20171221</published>
+    <fixed>20180118</fixed>
+  </lifecycle>
+
+  <reference>
+    <advisory type="CVE" id="2018-5748"/>
+  </reference>
+
+  <product name="libvirt">
+    <repository>libvirt.git</repository>
+    <branch>
+      <name>master</name>
+      <tag state="vulnerable">v0.2.0</tag>
+      <tag state="vulnerable">v0.2.1</tag>
+      <tag state="vulnerable">v0.2.2</tag>
+      <tag state="vulnerable">v0.2.3</tag>
+      <tag state="vulnerable">v0.3.0</tag>
+      <tag state="vulnerable">v0.3.1</tag>
+      <tag state="vulnerable">v0.3.2</tag>
+      <tag state="vulnerable">v0.3.3</tag>
+      <tag state="vulnerable">v0.4.1</tag>
+      <tag state="vulnerable">v0.4.2</tag>
+      <tag state="vulnerable">v0.4.4</tag>
+      <tag state="vulnerable">v0.4.6</tag>
+      <tag state="vulnerable">v0.5.0</tag>
+      <tag state="vulnerable">v0.5.1</tag>
+      <tag state="vulnerable">v0.6.0</tag>
+      <tag state="vulnerable">v0.6.1</tag>
+      <tag state="vulnerable">v0.6.2</tag>
+      <tag state="vulnerable">v0.6.3</tag>
+      <tag state="vulnerable">v0.6.4</tag>
+      <tag state="vulnerable">v0.6.5</tag>
+      <tag state="vulnerable">v0.7.0</tag>
+      <tag state="vulnerable">v0.7.1</tag>
+      <tag state="vulnerable">v0.7.2</tag>
+      <tag state="vulnerable">v0.7.3</tag>
+      <tag state="vulnerable">v0.7.4</tag>
+      <tag state="vulnerable">v0.7.5</tag>
+      <tag state="vulnerable">v0.7.6</tag>
+      <tag state="vulnerable">v0.7.7</tag>
+      <tag state="vulnerable">v0.8.0</tag>
+      <tag state="vulnerable">v0.8.1</tag>
+      <tag state="vulnerable">v0.8.2</tag>
+      <tag state="vulnerable">v0.8.3</tag>
+      <tag state="vulnerable">v0.8.4</tag>
+      <tag state="vulnerable">v0.8.5</tag>
+      <tag state="vulnerable">v0.8.6</tag>
+      <tag state="vulnerable">v0.8.7</tag>
+      <tag state="vulnerable">v0.8.8</tag>
+      <tag state="vulnerable">v0.9.0</tag>
+      <tag state="vulnerable">v0.9.1</tag>
+      <tag state="vulnerable">v0.9.2</tag>
+      <tag state="vulnerable">v0.9.3</tag>
+      <tag state="vulnerable">v0.9.4</tag>
+      <tag state="vulnerable">v0.9.5</tag>
+      <tag state="vulnerable">v0.9.6</tag>
+      <tag state="vulnerable">v0.9.7</tag>
+      <tag state="vulnerable">v0.9.8</tag>
+      <tag state="vulnerable">v0.9.9</tag>
+      <tag state="vulnerable">v0.9.10</tag>
+      <tag state="vulnerable">v0.9.11</tag>
+      <tag state="vulnerable">v0.9.12</tag>
+      <tag state="vulnerable">v0.9.13</tag>
+      <tag state="vulnerable">v0.10.0</tag>
+      <tag state="vulnerable">v0.10.1</tag>
+      <tag state="vulnerable">v0.10.2</tag>
+      <tag state="vulnerable">v1.0.0</tag>
+      <tag state="vulnerable">v1.0.1</tag>
+      <tag state="vulnerable">v1.0.2</tag>
+      <tag state="vulnerable">v1.0.3</tag>
+      <tag state="vulnerable">v1.0.4</tag>
+      <tag state="vulnerable">v1.0.5</tag>
+      <tag state="vulnerable">v1.0.6</tag>
+      <tag state="vulnerable">v1.1.0</tag>
+      <tag state="vulnerable">v1.1.1</tag>
+      <tag state="vulnerable">v1.1.2</tag>
+      <tag state="vulnerable">v1.1.3</tag>
+      <tag state="vulnerable">v1.1.4</tag>
+      <tag state="vulnerable">v1.2.0</tag>
+      <tag state="vulnerable">v1.2.1</tag>
+      <tag state="vulnerable">v1.2.2</tag>
+      <tag state="vulnerable">v1.2.3</tag>
+      <tag state="vulnerable">v1.2.4</tag>
+      <tag state="vulnerable">v1.2.5</tag>
+      <tag state="vulnerable">v1.2.6</tag>
+      <tag state="vulnerable">v1.2.7</tag>
+      <tag state="vulnerable">v1.2.8</tag>
+      <tag state="vulnerable">v1.2.9</tag>
+      <tag state="vulnerable">v1.2.10</tag>
+      <tag state="vulnerable">v1.2.11</tag>
+      <tag state="vulnerable">v1.2.12</tag>
+      <tag state="vulnerable">v1.2.13</tag>
+      <tag state="vulnerable">v1.2.14</tag>
+      <tag state="vulnerable">v1.2.15</tag>
+      <tag state="vulnerable">v1.2.16</tag>
+      <tag state="vulnerable">v1.2.17</tag>
+      <tag state="vulnerable">v1.2.18</tag>
+      <tag state="vulnerable">v1.2.19</tag>
+      <tag state="vulnerable">v1.2.20</tag>
+      <tag state="vulnerable">v1.2.21</tag>
+      <tag state="vulnerable">v1.3.0</tag>
+      <tag state="vulnerable">v1.3.1</tag>
+      <tag state="vulnerable">v1.3.2</tag>
+      <tag state="vulnerable">v1.3.3</tag>
+      <tag state="vulnerable">v1.3.4</tag>
+      <tag state="vulnerable">v1.3.5</tag>
+      <tag state="vulnerable">v2.0.0</tag>
+      <tag state="vulnerable">v2.1.0</tag>
+      <tag state="vulnerable">v2.2.0</tag>
+      <tag state="vulnerable">v2.3.0</tag>
+      <tag state="vulnerable">v2.4.0</tag>
+      <tag state="vulnerable">v2.5.0</tag>
+      <tag state="vulnerable">v3.0.0</tag>
+      <tag state="vulnerable">v3.1.0</tag>
+      <tag state="vulnerable">v3.2.0</tag>
+      <tag state="vulnerable">v3.3.0</tag>
+      <tag state="vulnerable">v3.4.0</tag>
+      <tag state="vulnerable">v3.5.0</tag>
+      <tag state="vulnerable">v3.6.0</tag>
+      <tag state="vulnerable">v3.7.0</tag>
+      <tag state="vulnerable">v3.8.0</tag>
+      <tag state="vulnerable">v3.9.0</tag>
+      <tag state="vulnerable">v3.10.0</tag>
+      <tag state="fixed">v4.0.0</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+      <change state="fixed">bc251ea91bcfddd2622fce6bce701a438b2e7276</change>
+    </branch>
+    <branch>
+      <name>v0.9.6-maint</name>
+      <tag state="vulnerable">v0.9.6.1</tag>
+      <tag state="vulnerable">v0.9.6.2</tag>
+      <tag state="vulnerable">v0.9.6.3</tag>
+      <tag state="vulnerable">v0.9.6.4</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v0.9.11-maint</name>
+      <tag state="vulnerable">v0.9.11.1</tag>
+      <tag state="vulnerable">v0.9.11.2</tag>
+      <tag state="vulnerable">v0.9.11.3</tag>
+      <tag state="vulnerable">v0.9.11.4</tag>
+      <tag state="vulnerable">v0.9.11.5</tag>
+      <tag state="vulnerable">v0.9.11.6</tag>
+      <tag state="vulnerable">v0.9.11.7</tag>
+      <tag state="vulnerable">v0.9.11.8</tag>
+      <tag state="vulnerable">v0.9.11.9</tag>
+      <tag state="vulnerable">v0.9.11.10</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v0.9.12-maint</name>
+      <tag state="vulnerable">v0.9.12.1</tag>
+      <tag state="vulnerable">v0.9.12.2</tag>
+      <tag state="vulnerable">v0.9.12.3</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v0.10.2-maint</name>
+      <tag state="vulnerable">v0.10.2.1</tag>
+      <tag state="vulnerable">v0.10.2.2</tag>
+      <tag state="vulnerable">v0.10.2.3</tag>
+      <tag state="vulnerable">v0.10.2.4</tag>
+      <tag state="vulnerable">v0.10.2.5</tag>
+      <tag state="vulnerable">v0.10.2.6</tag>
+      <tag state="vulnerable">v0.10.2.7</tag>
+      <tag state="vulnerable">v0.10.2.8</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v1.0.5-maint</name>
+      <tag state="vulnerable">v1.0.5.1</tag>
+      <tag state="vulnerable">v1.0.5.2</tag>
+      <tag state="vulnerable">v1.0.5.3</tag>
+      <tag state="vulnerable">v1.0.5.4</tag>
+      <tag state="vulnerable">v1.0.5.5</tag>
+      <tag state="vulnerable">v1.0.5.6</tag>
+      <tag state="vulnerable">v1.0.5.7</tag>
+      <tag state="vulnerable">v1.0.5.8</tag>
+      <tag state="vulnerable">v1.0.5.9</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v1.1.3-maint</name>
+      <tag state="vulnerable">v1.1.3.1</tag>
+      <tag state="vulnerable">v1.1.3.2</tag>
+      <tag state="vulnerable">v1.1.3.3</tag>
+      <tag state="vulnerable">v1.1.3.4</tag>
+      <tag state="vulnerable">v1.1.3.5</tag>
+      <tag state="vulnerable">v1.1.3.6</tag>
+      <tag state="vulnerable">v1.1.3.7</tag>
+      <tag state="vulnerable">v1.1.3.8</tag>
+      <tag state="vulnerable">v1.1.3.9</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v1.2.9-maint</name>
+      <tag state="vulnerable">v1.2.9.1</tag>
+      <tag state="vulnerable">v1.2.9.2</tag>
+      <tag state="vulnerable">v1.2.9.3</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v1.2.13-maint</name>
+      <tag state="vulnerable">v1.2.13.1</tag>
+      <tag state="vulnerable">v1.2.13.2</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v1.2.18-maint</name>
+      <tag state="vulnerable">v1.2.18.1</tag>
+      <tag state="vulnerable">v1.2.18.2</tag>
+      <tag state="vulnerable">v1.2.18.3</tag>
+      <tag state="vulnerable">v1.2.18.4</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v1.3.3-maint</name>
+      <tag state="vulnerable">v1.3.3.1</tag>
+      <tag state="vulnerable">v1.3.3.2</tag>
+      <tag state="vulnerable">v1.3.3.3</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v2.2-maint</name>
+      <tag state="vulnerable">v2.2.1</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+    <branch>
+      <name>v3.2-maint</name>
+      <tag state="vulnerable">v3.2.1</tag>
+      <change state="vulnerable">23ad665cb05ef9ce7d298cc34bff5efb95ef6948</change>
+    </branch>
+  </product>
+
+</security-notice>
-- 
2.14.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH security-notice 3/4] LSN-2018-0003 / CVE-2018-6764 - Insecure usage of NSS modules during container startup
Posted by Daniel P. Berrangé, 14 weeks ago
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 notices/2018/0003.xml | 269 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 269 insertions(+)
 create mode 100644 notices/2018/0003.xml

diff --git a/notices/2018/0003.xml b/notices/2018/0003.xml
new file mode 100644
index 0000000..2c53626
--- /dev/null
+++ b/notices/2018/0003.xml
@@ -0,0 +1,269 @@
+<security-notice xmlns="http://security.libvirt.org/xmlns/security-notice/1.0">
+  <id>2018-0003</id>
+
+  <summary>Insecure usage of NSS modules during container startup</summary>
+
+  <description>
+    <![CDATA[During container startup it is possible that libvirt logging
+	     code will trigger a hostname lookup. This will in turn potentially
+	     cause GLibC to load various NSS modules from the container's
+	     root filesystem rather than the host's root filesystem. During this
+	     time the host's root filesystem is still accessible and fully
+	     writable]]>
+  </description>
+
+  <impact>
+    <![CDATA[A maliciously crafted NSS module in the container's root filesystem
+	     can exploit the host OS by writing content into the host's root
+	     filesystem]]>
+  </impact>
+
+  <workaround>
+    <![CDATA[There is no practical workaround]]>
+  </workaround>
+
+  <credits>
+    <reporter>
+      <name>Lubomir Rintel</name>
+      <email>lkundrak@v3.sk</email>
+    </reporter>
+    <patcher>
+      <name>Lubomir Rintel</name>
+      <email>lkundrak@v3.sk</email>
+    </patcher>
+    <patcher>
+      <name>Daniel P. Berrangé</name>
+      <email>berrange@redhat.com</email>
+    </patcher>
+  </credits>
+
+  <lifecycle>
+    <reported>20180127</reported>
+    <published>20180207</published>
+    <fixed>20180207</fixed>
+  </lifecycle>
+
+  <reference>
+    <advisory type="CVE" id="2018-6764"/>
+  </reference>
+
+  <product name="libvirt">
+    <repository>libvirt.git</repository>
+
+    <branch>
+      <name>master</name>
+      <tag state="vulnerable">v0.4.4</tag>
+      <tag state="vulnerable">v0.4.6</tag>
+      <tag state="vulnerable">v0.5.0</tag>
+      <tag state="vulnerable">v0.5.1</tag>
+      <tag state="vulnerable">v0.6.0</tag>
+      <tag state="vulnerable">v0.6.1</tag>
+      <tag state="vulnerable">v0.6.2</tag>
+      <tag state="vulnerable">v0.6.3</tag>
+      <tag state="vulnerable">v0.6.4</tag>
+      <tag state="vulnerable">v0.6.5</tag>
+      <tag state="vulnerable">v0.7.0</tag>
+      <tag state="vulnerable">v0.7.1</tag>
+      <tag state="vulnerable">v0.7.2</tag>
+      <tag state="vulnerable">v0.7.3</tag>
+      <tag state="vulnerable">v0.7.4</tag>
+      <tag state="vulnerable">v0.7.5</tag>
+      <tag state="vulnerable">v0.7.6</tag>
+      <tag state="vulnerable">v0.7.7</tag>
+      <tag state="vulnerable">v0.8.0</tag>
+      <tag state="vulnerable">v0.8.1</tag>
+      <tag state="vulnerable">v0.8.2</tag>
+      <tag state="vulnerable">v0.8.3</tag>
+      <tag state="vulnerable">v0.8.4</tag>
+      <tag state="vulnerable">v0.8.5</tag>
+      <tag state="vulnerable">v0.8.6</tag>
+      <tag state="vulnerable">v0.8.7</tag>
+      <tag state="vulnerable">v0.8.8</tag>
+      <tag state="vulnerable">v0.9.0</tag>
+      <tag state="vulnerable">v0.9.1</tag>
+      <tag state="vulnerable">v0.9.2</tag>
+      <tag state="vulnerable">v0.9.3</tag>
+      <tag state="vulnerable">v0.9.4</tag>
+      <tag state="vulnerable">v0.9.5</tag>
+      <tag state="vulnerable">v0.9.6</tag>
+      <tag state="vulnerable">v0.9.7</tag>
+      <tag state="vulnerable">v0.9.8</tag>
+      <tag state="vulnerable">v0.9.9</tag>
+      <tag state="vulnerable">v0.9.10</tag>
+      <tag state="vulnerable">v0.9.11</tag>
+      <tag state="vulnerable">v0.9.12</tag>
+      <tag state="vulnerable">v0.9.13</tag>
+      <tag state="vulnerable">v0.10.0</tag>
+      <tag state="vulnerable">v0.10.1</tag>
+      <tag state="vulnerable">v0.10.2</tag>
+      <tag state="vulnerable">v1.0.0</tag>
+      <tag state="vulnerable">v1.0.1</tag>
+      <tag state="vulnerable">v1.0.2</tag>
+      <tag state="vulnerable">v1.0.3</tag>
+      <tag state="vulnerable">v1.0.4</tag>
+      <tag state="vulnerable">v1.0.5</tag>
+      <tag state="vulnerable">v1.0.6</tag>
+      <tag state="vulnerable">v1.1.0</tag>
+      <tag state="vulnerable">v1.1.1</tag>
+      <tag state="vulnerable">v1.1.2</tag>
+      <tag state="vulnerable">v1.1.3</tag>
+      <tag state="vulnerable">v1.1.4</tag>
+      <tag state="vulnerable">v1.2.0</tag>
+      <tag state="vulnerable">v1.2.1</tag>
+      <tag state="vulnerable">v1.2.2</tag>
+      <tag state="vulnerable">v1.2.3</tag>
+      <tag state="vulnerable">v1.2.4</tag>
+      <tag state="vulnerable">v1.2.5</tag>
+      <tag state="vulnerable">v1.2.6</tag>
+      <tag state="vulnerable">v1.2.7</tag>
+      <tag state="vulnerable">v1.2.8</tag>
+      <tag state="vulnerable">v1.2.9</tag>
+      <tag state="vulnerable">v1.2.10</tag>
+      <tag state="vulnerable">v1.2.11</tag>
+      <tag state="vulnerable">v1.2.12</tag>
+      <tag state="vulnerable">v1.2.13</tag>
+      <tag state="vulnerable">v1.2.14</tag>
+      <tag state="vulnerable">v1.2.15</tag>
+      <tag state="vulnerable">v1.2.16</tag>
+      <tag state="vulnerable">v1.2.17</tag>
+      <tag state="vulnerable">v1.2.18</tag>
+      <tag state="vulnerable">v1.2.19</tag>
+      <tag state="vulnerable">v1.2.20</tag>
+      <tag state="vulnerable">v1.2.21</tag>
+      <tag state="vulnerable">v1.3.0</tag>
+      <tag state="vulnerable">v1.3.1</tag>
+      <tag state="vulnerable">v1.3.2</tag>
+      <tag state="vulnerable">v1.3.3</tag>
+      <tag state="vulnerable">v1.3.4</tag>
+      <tag state="vulnerable">v1.3.5</tag>
+      <tag state="vulnerable">v2.0.0</tag>
+      <tag state="vulnerable">v2.1.0</tag>
+      <tag state="vulnerable">v2.2.0</tag>
+      <tag state="vulnerable">v2.3.0</tag>
+      <tag state="vulnerable">v2.4.0</tag>
+      <tag state="vulnerable">v2.5.0</tag>
+      <tag state="vulnerable">v3.0.0</tag>
+      <tag state="vulnerable">v3.1.0</tag>
+      <tag state="vulnerable">v3.2.0</tag>
+      <tag state="vulnerable">v3.3.0</tag>
+      <tag state="vulnerable">v3.4.0</tag>
+      <tag state="vulnerable">v3.5.0</tag>
+      <tag state="vulnerable">v3.6.0</tag>
+      <tag state="vulnerable">v3.7.0</tag>
+      <tag state="vulnerable">v3.8.0</tag>
+      <tag state="vulnerable">v3.9.0</tag>
+      <tag state="vulnerable">v3.10.0</tag>
+      <tag state="vulnerable">v4.0.0</tag>
+      <tag state="fixed">v4.1.0</tag>
+      <change state="vulnerable">9ae41a71ac457994b7ca975e9eec7c3fc13ac101</change>
+      <change state="fixed">759b4d1b0fe5f4d84d98b99153dfa7ac289dd167</change>
+      <change state="fixed">c2dc6698c88fb591639e542c8ecb0076c54f3dfb</change>
+    </branch>
+    <branch>
+      <name>v0.9.6-maint</name>
+      <tag state="vulnerable">v0.9.6.1</tag>
+      <tag state="vulnerable">v0.9.6.2</tag>
+      <tag state="vulnerable">v0.9.6.3</tag>
+      <tag state="vulnerable">v0.9.6.4</tag>
+      <change state="vulnerable">9ae41a71ac457994b7ca975e9eec7c3fc13ac101</change>
+    </branch>
+    <branch>
+      <name>v0.9.11-maint</name>
+      <tag state="vulnerable">v0.9.11.1</tag>
+      <tag state="vulnerable">v0.9.11.2</tag>
+      <tag state="vulnerable">v0.9.11.3</tag>
+      <tag state="vulnerable">v0.9.11.4</tag>
+      <tag state="vulnerable">v0.9.11.5</tag>
+      <tag state="vulnerable">v0.9.11.6</tag>
+      <tag state="vulnerable">v0.9.11.7</tag>
+      <tag state="vulnerable">v0.9.11.8</tag>
+      <tag state="vulnerable">v0.9.11.9</tag>
+      <tag state="vulnerable">v0.9.11.10</tag>
+      <change state="vulnerable">9ae41a71ac457994b7ca975e9eec7c3fc13ac101</change>
+    </branch>
+    <branch>
+      <name>v0.9.12-maint</name>
+      <tag state="vulnerable">v0.9.12.1</tag>
+      <tag state="vulnerable">v0.9.12.2</tag>
+      <tag state="vulnerable">v0.9.12.3</tag>
+      <change state="vulnerable">9ae41a71ac457994b7ca975e9eec7c3fc13ac101</change>
+    </branch>
+    <branch>
+      <name>v0.10.2-maint</name>
+      <tag state="vulnerable">v0.10.2.1</tag>
+      <tag state="vulnerable">v0.10.2.2</tag>
+      <tag state="vulnerable">v0.10.2.3</tag>
+      <tag state="vulnerable">v0.10.2.4</tag>
+      <tag state="vulnerable">v0.10.2.5</tag>
+      <tag state="vulnerable">v0.10.2.6</tag>
+      <tag state="vulnerable">v0.10.2.7</tag>
+      <tag state="vulnerable">v0.10.2.8</tag>
+      <change state="vulnerable">9ae41a71ac457994b7ca975e9eec7c3fc13ac101</change>
+    </branch>
+    <branch>
+      <name>v1.0.5-maint</name>
+      <tag state="vulnerable">v1.0.5.1</tag>
+      <tag state="vulnerable">v1.0.5.2</tag>
+      <tag state="vulnerable">v1.0.5.3</tag>
+      <tag state="vulnerable">v1.0.5.4</tag>
+      <tag state="vulnerable">v1.0.5.5</tag>
+      <tag state="vulnerable">v1.0.5.6</tag>
+      <tag state="vulnerable">v1.0.5.7</tag>
+      <tag state="vulnerable">v1.0.5.8</tag>
+      <tag state="vulnerable">v1.0.5.9</tag>
+      <change state="vulnerable">9ae41a71ac457994b7ca975e9eec7c3fc13ac101</change>
+    </branch>
+    <branch>
+      <name>v1.1.3-maint</name>
+      <tag state="vulnerable">v1.1.3.1</tag>
+      <tag state="vulnerable">v1.1.3.2</tag>
+      <tag state="vulnerable">v1.1.3.3</tag>
+      <tag state="vulnerable">v1.1.3.4</tag>
+      <tag state="vulnerable">v1.1.3.5</tag>
+      <tag state="vulnerable">v1.1.3.6</tag>
+      <tag state="vulnerable">v1.1.3.7</tag>
+      <tag state="vulnerable">v1.1.3.8</tag>
+      <tag state="vulnerable">v1.1.3.9</tag>
+      <change state="vulnerable">9ae41a71ac457994b7ca975e9eec7c3fc13ac101</change>
+    </branch>
+    <branch>
+      <name>v1.2.9-maint</name>
+      <tag state="vulnerable">v1.2.9.1</tag>
+      <tag state="vulnerable">v1.2.9.2</tag>
+      <tag state="vulnerable">v1.2.9.3</tag>
+      <change state="vulnerable">9ae41a71ac457994b7ca975e9eec7c3fc13ac101</change>
+    </branch>
+    <branch>
+      <name>v1.2.13-maint</name>
+      <tag state="vulnerable">v1.2.13.1</tag>
+      <tag state="vulnerable">v1.2.13.2</tag>
+      <change state="vulnerable">9ae41a71ac457994b7ca975e9eec7c3fc13ac101</change>
+    </branch>
+    <branch>
+      <name>v1.2.18-maint</name>
+      <tag state="vulnerable">v1.2.18.1</tag>
+      <tag state="vulnerable">v1.2.18.2</tag>
+      <tag state="vulnerable">v1.2.18.3</tag>
+      <tag state="vulnerable">v1.2.18.4</tag>
+      <change state="vulnerable">9ae41a71ac457994b7ca975e9eec7c3fc13ac101</change>
+    </branch>
+    <branch>
+      <name>v1.3.3-maint</name>
+      <tag state="vulnerable">v1.3.3.1</tag>
+      <tag state="vulnerable">v1.3.3.2</tag>
+      <tag state="vulnerable">v1.3.3.3</tag>
+      <change state="vulnerable">9ae41a71ac457994b7ca975e9eec7c3fc13ac101</change>
+    </branch>
+    <branch>
+      <name>v2.2-maint</name>
+      <tag state="vulnerable">v2.2.1</tag>
+      <change state="vulnerable">9ae41a71ac457994b7ca975e9eec7c3fc13ac101</change>
+    </branch>
+    <branch>
+      <name>v3.2-maint</name>
+      <tag state="vulnerable">v3.2.1</tag>
+      <change state="vulnerable">9ae41a71ac457994b7ca975e9eec7c3fc13ac101</change>
+    </branch>
+  </product>
+
+</security-notice>
-- 
2.14.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH security-notice 4/4] Add a script for generating a list of vulnerable tags & branches
Posted by Daniel P. Berrangé, 14 weeks ago
It is rather tedious making the list of vulnerable tags and branches
for the security notice reports. This script takes the changeset of
the commit that first introduced the flaw and then outputs an XML
snippet listing every tag and branch which contains that vulnerable
changeset. This can be copied straight into the security notice,
meaning we just have to then fill out details of which changeset
and tag fixed the flaw.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 scripts/report-vulnerable-tags.pl | 108 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 108 insertions(+)
 create mode 100644 scripts/report-vulnerable-tags.pl

diff --git a/scripts/report-vulnerable-tags.pl b/scripts/report-vulnerable-tags.pl
new file mode 100644
index 0000000..0b6ea6f
--- /dev/null
+++ b/scripts/report-vulnerable-tags.pl
@@ -0,0 +1,108 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use Sort::Versions;
+
+if (int(@ARGV) != 1) {
+    die "syntax: $0 CHANGESET\n";
+}
+
+my $changeset = shift @ARGV;
+
+sub get_tags {
+    my @args = @_;
+
+    my @tags;
+    open GIT, "-|", "git", "tag", @args or
+    die "cannot query 'git tags @args': $!\n";
+
+    while (<GIT>) {
+        chomp;
+
+        # Drop anything except  vN.N.N style tags
+        # where 'N' is only digits.
+        if (/^v(\d+)(\.\d+)+$/) {
+            push @tags, $_;
+        }
+    }
+
+    close GIT;
+
+    return @tags;
+}
+
+sub get_branch {
+    my $tag = shift;
+
+    my @branches;
+    open GIT, "-|", "git", "branch", "--all", "--contains", $tag or
+    die "cannot query 'git branch --all --contains $tag': $!\n";
+
+    while (<GIT>) {
+        chomp;
+
+        if (m,^\s*remotes/origin/(v.*-maint)$,) {
+            push @branches, $1;
+        }
+    }
+
+    close GIT;
+
+    return @branches;
+}
+
+my @branches;
+my %tags;
+my %branches;
+
+$branches{"master"} = [];
+# Most tags live on master so lets get them first
+for my $tag (get_tags("--contains", $changeset, "--merged", "master")) {
+    push @{$branches{"master"}}, $tag;
+    $tags{$tag} = 1;
+}
+push @branches, "master";
+
+# Now we need slower work to find branches for
+# few remaining tags
+for my $tag (get_tags("--contains", $changeset)) {
+
+    next if exists $tags{$tag};
+
+    my @tagbranches = get_branch($tag);
+    if (int(@tagbranches) == 0) {
+	if ($tag eq "v2.1.0") {
+	    @tagbranches = ("master")
+	} else {
+	    print "Tag $tag doesn't appear in any branch\n";
+	    next;
+	}
+    }
+
+    if (int(@tagbranches) > 1) {
+        print "Tag $tag appears in multiple branches\n";
+    }
+
+    unless (exists($branches{$tagbranches[0]})) {
+        $branches{$tagbranches[0]} = [];
+        push @branches, $tagbranches[0];
+    }
+    push @{$branches{$tagbranches[0]}}, $tag;
+}
+
+
+foreach my $branch (sort versioncmp @branches) {
+    print "    <branch>\n";
+    print "      <name>$branch</name>\n";
+    foreach my $tag (sort versioncmp @{$branches{$branch}}) {
+        print "      <tag state=\"vulnerable\">$tag</tag>\n";
+    }
+    print "      <change state=\"vulnerable\">$changeset</change>\n";
+
+    if ($branch eq "master") {
+	print "      <change state=\"fixed\"></change>\n";
+    }
+    print "    </branch>\n";
+}
-- 
2.14.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list