Libvirt Security Notice: LSN-2014-0002 ====================================== Summary: Missing access control check on events Reported on: 20140103 Published on: 20140115 Fixed on: 20140115 Reported by: Eric Blake Patched by: Eric Blake See also: CVE-2014-0028 Description ----------- The asynchronous events were not filtered based on any permission check prior to being dispatched to the client. This could lead to the client learning about the existence of domains that they are not authorized to see. Impact ------ A client can use events to learn of domains that they are not authorized to see. Additionally, the client can use that object to attempt other actions on the domain, such as starting or stopping it. Workaround ---------- Prevent untrusted clients from connecting to libvirtd Affected product ---------------- Name: libvirt Repository: https://gitlab.com/libvirt/libvirt Branch: master Broken in: v1.1.0 Broken in: v1.1.1 Broken in: v1.1.2 Broken in: v1.1.3 Broken in: v1.1.4 Broken in: v1.2.0 Fixed in: v1.2.1 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: f9f56340539d609cdc2e9d4ab812b9f146c3f100 Branch: v1.1.0-maint Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: cdf29d950c247d06aaa69778238d7cc164c05291 Branch: v1.1.1-maint Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: 1d0e4fbf9572ad34045a4f9d87601297a5244c38 Branch: v1.1.2-maint Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: fb5a3190c6409897744a244c6e0d5e2d52d34b39 Branch: v1.1.3-maint Broken in: v1.1.3.1 Broken in: v1.1.3.2 Fixed in: v1.1.3.3 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: 51afa9a255d7a073373ad4533eff58bd819890e8 Branch: v1.1.4-maint Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: 7ccc13599652722d6aa000b61270c0786d610b9e Branch: v1.2.0-maint Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: eb7ec2312ba968c745031c7432b4fd007cd52d3a