[PATCH] NEWS: mention CVE-2020-25637 in v6.8.0 release notes

Mauro Matteo Cascella posted 1 patch 3 years, 5 months ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20201002110935.267385-1-mcascell@redhat.com
NEWS.rst | 8 ++++++++
1 file changed, 8 insertions(+)
[PATCH] NEWS: mention CVE-2020-25637 in v6.8.0 release notes
Posted by Mauro Matteo Cascella 3 years, 5 months ago
---
 NEWS.rst | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/NEWS.rst b/NEWS.rst
index de46cac8c5..f6074d9fe8 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -27,6 +27,14 @@ v6.9.0 (unreleased)
 v6.8.0 (2020-10-01)
 ===================
 
+* **Security**
+
+  * qemu: double free in qemuAgentGetInterfaces() in qemu_agent.c
+
+    Clients connecting to the read-write socket with limited ACL permissions
+    may be able to crash the libvirt daemon, resulting in a denial of service,
+    or potentially escalate their privileges on the system. CVE-2020-25637.
+
 * **New features**
 
   * xen: Add ``writeFiltering`` attribute for PCI devices
-- 
2.26.2

Re: [PATCH] NEWS: mention CVE-2020-25637 in v6.8.0 release notes
Posted by Ján Tomko 3 years, 5 months ago
On a Friday in 2020, Mauro Matteo Cascella wrote:
>---

A 'Signed-off-by' line to indicate your compliance with the Developer
Certificate of Origin is required:
https://libvirt.org/hacking.html#developer-certificate-of-origin

(You can reply to this thread with that line, no need to resend the
patch)

> NEWS.rst | 8 ++++++++
> 1 file changed, 8 insertions(+)
>

Reviewed-by: Ján Tomko <jtomko@redhat.com>

Jano
Re: [PATCH] NEWS: mention CVE-2020-25637 in v6.8.0 release notes
Posted by Mauro Matteo Cascella 3 years, 5 months ago
Thanks for noticing. I actually followed the instructions at [1] and
forgot to sign the commit. I will send another patch to add a
reference on that page as well.

[1] https://libvirt.org/submitting-patches.html

Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>

On Fri, Oct 2, 2020 at 1:26 PM Ján Tomko <jtomko@redhat.com> wrote:
>
> On a Friday in 2020, Mauro Matteo Cascella wrote:
> >---
>
> A 'Signed-off-by' line to indicate your compliance with the Developer
> Certificate of Origin is required:
> https://libvirt.org/hacking.html#developer-certificate-of-origin
>
> (You can reply to this thread with that line, no need to resend the
> patch)
>
> > NEWS.rst | 8 ++++++++
> > 1 file changed, 8 insertions(+)
> >
>
> Reviewed-by: Ján Tomko <jtomko@redhat.com>
>
> Jano



-- 
Mauro Matteo Cascella, Red Hat Product Security
6F78 E20B 5935 928C F0A8  1A9D 4E55 23B8 BB34 10B0