From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tobias Geerinckx-Rice via Bug reports for GNU Guix Subject: bug#36634: Virtual Machine Manager (virt-manager) Date: Mon, 23 Sep 2019 06:30:14 +0200 Message-ID: <87y2yf1vop.fsf@nckx> References: <255adc32694ef0c22fb789b1eea66a243cffb649.camel@disroot.org> <87sgqze1yq.fsf@cbaines.net> <87wodzir88.fsf@gmail.com> Reply-To: Tobias Geerinckx-Rice Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:44287) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iCG07-0006zu-Oh for bug-guix@gnu.org; Mon, 23 Sep 2019 00:31:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iCG06-0006kh-MW for bug-guix@gnu.org; Mon, 23 Sep 2019 00:31:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:54274) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iCG06-0006ka-89 for bug-guix@gnu.org; Mon, 23 Sep 2019 00:31:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iCG06-00038q-3j for bug-guix@gnu.org; Mon, 23 Sep 2019 00:31:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-reply-to: <87wodzir88.fsf@gmail.com> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Christopher Baines , 36634@debbugs.gnu.org, Chris Marusich --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Chrisen, Chris Marusich =E5=86=99=E9=81=93=EF=BC=9A > In the meantime, should we revert to version 5.4.0 in Guix? I'm=20 > not > sure if there are any security vulnerabilities between 5.4.0 and=20 > the > most recent release, but this bug is currently preventing me=20 > from > creating any VMs at all in Guix using virt-manager, which is=20 > pretty bad. Yes! (which is why I originally updated this package): v5.5.0 (2019-07-02) Security api: Prevent access to several APIs over read-only=20 connections Certain APIs give root-equivalent access to the host,=20 and as such should be limited to privileged=20 users. CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168. =C2=AD https://libvirt.org/news.html It might be easy to backport. I didn't try, and I no longer use=20 libvirt myself. What's weird (maybe; I haven't kept up with the thread) is that I=20 used libvirt 5.5.0 (and yes, it was 5.5.0) for a while without=20 problems. I don't remember whether I created any *new* VMs,=20 though. Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2ISlYACgkQ2Imw8BjF STxbWBAAgH5E9EPOKItqOWmZ0J9TLIro985CmaCqU+UjL5QBHAZeJ9eBcDH+poL8 C60RnzntPSB58XBHDDikKDiYtQVtKW3kWFWiLRFO4c2cuQiuK2xF2Vh7tGbY3lEv lTDRd3fX6f5QVZv5HT0ObzXC27kcOw3rbSu/KnO0q/KYmJdmAXxLvmRzNruX/dv0 X3/+42tMymWSevs3BiwTNJIUHrIX0IMrVea9DVA1WmVEf5BDQqlHAfH1Z02Y+T7q OYlTRLhbed/gcx8ccHyDFX4MZBQ0Jcg0qOWRkMAXQE5xUtLWd4xQdY6eatB11DpF BPqmLeSVfDxzYhyWYZcEvgH/pjHvZMPmSVu8GPs3bcmA2E7z+Xwn7Mf9JDfRrufJ gugh+FO4pZ0M7egJL0pOZmS6K97J0dkTe3RI5gyZKrBdyxmjyatM4nENAyOp0oST QTyaEJ+Kpgkd5m7C/smSeUrwYHszqikG5h23QQ6H79MwCIDJzQCitR9DMN6ZNLFF 6Qo6Kqe4Z4ZArX4Q3kZ1mrKWV5/kHzX1MpPVrEXq4kUQzOnYCQ1FUfZU0zdSu31Q IMX74Kx4c0+xdP0jkbPwp1Kj2vaYfqriqGudmzRpY+7byJegmHdQgrbFrQZjn8ty qU31pw27s7/Gt7D2BWICK2HgDWsmxf4pG0Ep6fy+C4RDWiIuJbg= =pZds -----END PGP SIGNATURE----- --=-=-=--