Security update for libvirt

Announcement ID:	SUSE-SU-2018:0838-1
Rating:	important
References:	bsc#1055365 bsc#1076500 bsc#1079869 bsc#1083061 bsc#1083625
Cross-References:	CVE-2017-5715 CVE-2018-1064 CVE-2018-5748
CVSS scores:	CVE-2017-5715 ( SUSE ): 7.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2017-5715 ( NVD ): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2017-5715 ( NVD ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2018-1064 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-1064 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-5748 ( SUSE ): 2.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2018-5748 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SLES for SAP Applications 11-SP4 SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4

An update that solves three vulnerabilities and has two security fixes can now be installed.

Description:

This update for libvirt fixes the following issues:

Security issues fixed:

• CVE-2017-5715: Fixes for speculative side channel attacks aka "SpectreAttack" (var2) (bsc#1079869).
• CVE-2018-1064: Fixed denial of service when reading from guest agent (bsc#1083625).
• CVE-2018-5748: Fixed possible denial of service when reading from QEMU monitor (bsc#1076500).

Non-security issues fixed:

• bsc#1083061: Fixed 'dumpxml --migratable' exports domain id in output on SLES11 SP4.
• bsc#1055365: Improve performance when listing hundreds of interfaces.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Software Development Kit 11 SP4
  zypper in -t patch sdksp4-libvirt-13538=1
• SUSE Linux Enterprise Server 11 SP4
  zypper in -t patch slessp4-libvirt-13538=1
• SLES for SAP Applications 11-SP4
  zypper in -t patch slessp4-libvirt-13538=1

Package List:

• SUSE Linux Enterprise Software Development Kit 11 SP4 (s390x x86_64 i586 ppc64 ia64)
  • libvirt-devel-1.2.5-23.6.1
• SUSE Linux Enterprise Software Development Kit 11 SP4 (x86_64)
  • libvirt-devel-32bit-1.2.5-23.6.1
• SUSE Linux Enterprise Server 11 SP4 (s390x x86_64 i586 ppc64 ia64)
  • libvirt-lock-sanlock-1.2.5-23.6.1
  • libvirt-1.2.5-23.6.1
  • libvirt-client-1.2.5-23.6.1
  • libvirt-doc-1.2.5-23.6.1
• SUSE Linux Enterprise Server 11 SP4 (ppc64 s390x x86_64)
  • libvirt-client-32bit-1.2.5-23.6.1
• SLES for SAP Applications 11-SP4 (ppc64 x86_64)
  • libvirt-lock-sanlock-1.2.5-23.6.1
  • libvirt-doc-1.2.5-23.6.1
  • libvirt-1.2.5-23.6.1
  • libvirt-client-1.2.5-23.6.1
  • libvirt-client-32bit-1.2.5-23.6.1

References:

• https://www.suse.com/security/cve/CVE-2017-5715.html
• https://www.suse.com/security/cve/CVE-2018-1064.html
• https://www.suse.com/security/cve/CVE-2018-5748.html
• https://bugzilla.suse.com/show_bug.cgi?id=1055365
• https://bugzilla.suse.com/show_bug.cgi?id=1076500
• https://bugzilla.suse.com/show_bug.cgi?id=1079869
• https://bugzilla.suse.com/show_bug.cgi?id=1083061
• https://bugzilla.suse.com/show_bug.cgi?id=1083625