During the month of July 2024 and on behalf of Freexian, I worked on the
following:
libvirt
-------
Submitted an os-pu for 7.0.0-3+deb11u3, fixing the following no-dsa
security issues:
* CVE-2021-3631: SELinux MCS may be accessed by another machine.
* CVE-2021-3667: Improper locking in the virStoragePoolLookupByTargetPath
API.
* CVE-2021-3975: Use-after-free vulnerability. The qemuMonitorUnregister()
function in qemuProcessHandleMonitorEOF is called using multiple threads
without being adequately protected by a monitor lock.
* CVE-2021-4147: Deadlock and crash in libxl driver.
* CVE-2022-0897: Missing locking in nwfilterConnectNumOfNWFilters.
* CVE-2024-1441: Off-by-one error in the udevListInterfacesByStatus() function.
* CVE-2024-2494: Missing check for negative array lengths in RPC server
de-serialization routines.
* CVE-2024-2496: NULL pointer dereference in the udevConnectListAllInterfaces()
function.
(For buster I had fixed these issues earlier in 5.0.0-4+deb10u2, see DLA-3778-1.)
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature