- Issued:
- 2012-01-17
- Updated:
- 2012-01-17
RHBA-2012:0013 - libvirt bug fix and enhancement update
Synopsis
libvirt bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Topic
Updated libvirt packages that fix multiple bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
Description
The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems.
These updated libvirt packages include multiple bug fixes and enhancements. The most significant changes are as follow:
- This update forces all libvirt managed KVM guests with virtio drives to run with the "scsi=off" option. This will prevent SCSI requests in guests being passed to underlying block devices on the host; however, a separate bug is preventing "scsi=off" from working correctly. A malicious, privileged guest user could issue a crafted request that would still be passed to the underlying block device.
A future qemu-kvm update will correct the "scsi=off" functionality, blocking such crafted requests, and allowing CVE-2011-4127 to be mitigated before the kernel update is applied.
As "scsi=off" may break legitimate pass through of SCSI requests, this update also adds a new value for the device attribute in the disk XML element, "lun". This type is like the default "disk" device, but will allow SCSI requests from guests to be passed to the underlying block device on the host. (Using the "lun" device attribute causes the guest to run with "scsi=on".)
Note: After installing the RHSA-2011:1849 kernel update, it will not be possible for guests to issue SCSI requests on virtio drives backed by partitions or LVM volumes, even if "device='lun'" is used. It will only be possible to issue SCSI requests on virtio drives backed by whole disks.
Refer to Red Hat Knowledgebase for details about CVE-2011-4127 (BZ#768469):
This content is not included.https://access.redhat.com/kb/docs/DOC-67874
-
This update adds support for VMware vSphere Hypervisor (ESXi) 5 installations. (BZ#759061)
-
The libvirt package was missing a dependency on the avahi package. The dependency is required due to mDNS support which is turned on by default. As a consequence, the libvirtd daemon failed to start if the libvirt package was installed on the system without Avahi. With this update, the dependency on avahi is now defined in the libvirt.spec file, and Avahi is installed along with libvirt. (BZ#770957)
Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.2 Technical Notes for information on these changes:
All users of libvirt are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
Solution
Before applying this update, make sure all previously-released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Storage | 2.0 | x86_64 |
| Red Hat Storage for Public Cloud (via RHUI) | 2.0 | x86_64 |
| Red Hat Gluster Storage Server for On-premise | 2.0 | x86_64 |
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 6.2 | x86_64 |
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 6.2 | i386 |
| Red Hat Enterprise Linux for Scientific Computing | 6 | x86_64 |
| Red Hat Enterprise Linux for Power, big endian | 6 | ppc64 |
| Red Hat Enterprise Linux for Power, big endian - Extended Update Support | 6.2 | ppc64 |
| Red Hat Enterprise Linux for IBM z Systems | 6 | s390x |
| Red Hat Enterprise Linux for IBM z Systems - Extended Update Support | 6.2 | s390x |
| Red Hat Enterprise Linux Workstation | 6 | x86_64 |
| Red Hat Enterprise Linux Workstation | 6 | i386 |
| Red Hat Enterprise Linux Server | 6 | x86_64 |
| Red Hat Enterprise Linux Server | 6 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 6 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 6 | i386 |
| Red Hat Enterprise Linux Server - Retired Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Update Support from RHUI | 6.2 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Update Support from RHUI | 6.2 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Server - AUS | 6.2 | x86_64 |
| Red Hat Enterprise Linux Desktop | 6 | x86_64 |
| Red Hat Enterprise Linux Desktop | 6 | i386 |
Updated Packages
- libvirt-python-0.9.4-23.el6_2.4.i686.rpm
- libvirt-debuginfo-0.9.4-23.el6_2.4.ppc64.rpm
- libvirt-lock-sanlock-0.9.4-23.el6_2.4.i686.rpm
- libvirt-0.9.4-23.el6_2.4.s390x.rpm
- libvirt-debuginfo-0.9.4-23.el6_2.4.i686.rpm
- libvirt-0.9.4-23.el6_2.4.src.rpm
- libvirt-client-0.9.4-23.el6_2.4.i686.rpm
- libvirt-lock-sanlock-0.9.4-23.el6_2.4.x86_64.rpm
- libvirt-0.9.4-23.el6_2.4.ppc64.rpm
- libvirt-python-0.9.4-23.el6_2.4.ppc64.rpm
- libvirt-devel-0.9.4-23.el6_2.4.i686.rpm
- libvirt-client-0.9.4-23.el6_2.4.s390.rpm
- libvirt-devel-0.9.4-23.el6_2.4.s390.rpm
- libvirt-python-0.9.4-23.el6_2.4.s390x.rpm
- libvirt-0.9.4-23.el6_2.4.i686.rpm
- libvirt-client-0.9.4-23.el6_2.4.ppc64.rpm
- libvirt-devel-0.9.4-23.el6_2.4.x86_64.rpm
- libvirt-0.9.4-23.el6_2.4.x86_64.rpm
- libvirt-debuginfo-0.9.4-23.el6_2.4.x86_64.rpm
- libvirt-debuginfo-0.9.4-23.el6_2.4.ppc.rpm
- libvirt-python-0.9.4-23.el6_2.4.x86_64.rpm
- libvirt-client-0.9.4-23.el6_2.4.ppc.rpm
- libvirt-devel-0.9.4-23.el6_2.4.ppc64.rpm
- libvirt-devel-0.9.4-23.el6_2.4.s390x.rpm
- libvirt-client-0.9.4-23.el6_2.4.s390x.rpm
- libvirt-debuginfo-0.9.4-23.el6_2.4.s390.rpm
- libvirt-devel-0.9.4-23.el6_2.4.ppc.rpm
- libvirt-debuginfo-0.9.4-23.el6_2.4.s390x.rpm
- libvirt-client-0.9.4-23.el6_2.4.x86_64.rpm
Fixes
- This content is not included.BZ - 759061
- This content is not included.BZ - 769674
- This content is not included.BZ - 770957
- This content is not included.BZ - 770959
CVEs
References
- This content is not included.This content is not included.https://www.redhat.com/security/data/cve/CVE-2011-4127.html
- https://rhn.redhat.com/errata/RHSA-2011-1849.html
- This content is not included.This content is not included.https://access.redhat.com/kb/docs/DOC-67874
- https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.2_Technical_Notes/libvirt.html#RHBA-2012-0013
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.