Bug 1253882 (CVE-2015-5201)
Summary: | CVE-2015-5201 RHEV: vdsm spice disable-ticketing and VM suspend and restore allows auth bypass | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | acathrow, alonbl, bazulay, berrange, bmcclain, chrisw, dblechte, eblake, ecohen, fdeutsch, gklein, idith, iheim, jdenemar, jsuchane, knoel, kseifried, lpeer, lsurette, michal.skrivanek, nlevinki, nobody, pkrempa, pstehlik, rbalakri, rfortier, security-response-team, sgirijan, shtripat, sisharma, smohan, ssaha, vbellur, ycui, yeylon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-12-23 04:14:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1234197, 1254164 | ||
Bug Blocks: | 1253883 |
Description
Kurt Seifried
2015-08-15 00:36:01 UTC
Acknowledgement: This issue was discovered by Michal Skrivanek of Red Hat. not sure if this is going into 3.4.5.1 or 3.5.5, either way 3.4.5 is still not out so it's a moot point right now. *** Bug 1254661 has been marked as a duplicate of this bug. *** The libvirt side of this is not a security issue, but the libvirt interaction with vdsm is a problem. As for the libvirt side, all patches fixing the issue are already upstream and backported in the 7.1.z counterpart (bug 1255859). Please advice how we should proceed. Is it possible to release the fix in the next z-stream batch release (end of 2015-09)? (In reply to Jaroslav Suchanek from comment #5) > As for the libvirt side, all patches fixing the issue are already upstream > and backported in the 7.1.z counterpart (bug 1255859). > > Please advice how we should proceed. Is it possible to release the fix in > the next z-stream batch release (end of 2015-09)? That's fine by me, I have no real say over what happens with non security bugs though, but obviously would appreciate this being fixed sooner rather than later. Michal, do you know if any additional patches from the vdsm side are required to fix this? no, just "Requires:" done in https://gerrit.ovirt.org/#/c/46214/ (corresponding bug 1262783) Statement: This issue was fixed in RHSA-2015-2527 (https://rhn.redhat.com/errata/RHEA-2015-2527.html) in the rhev-hypervisor package. |