CVE-2014-0028

NameCVE-2014-0028
Descriptionlibvirt 1.1.1 through 1.2.0 allows context-dependent attackers to bypass the domain:getattr and connect:search_domains restrictions in ACLs and obtain sensitive domain object information via a request to the (1) virConnectDomainEventRegister and (2) virConnectDomainEventRegisterAny functions in the event registration API.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libvirt (PTS)stretch3.0.0-4+deb9u4fixed
stretch (security)3.0.0-4+deb9u5fixed
buster5.0.0-4+deb10u1fixed
bullseye7.0.0-3fixed
bookworm, sid8.4.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libvirtsourcesqueeze(not affected)
libvirtsourcewheezy(not affected)
libvirtsource(unstable)1.2.1-1

Notes

[squeeze] - libvirt <not-affected> (Introduced in 1.1.1)
[wheezy] - libvirt <not-affected> (Introduced in 1.1.1)
https://www.redhat.com/archives/libvir-list/2014-January/msg00684.html

Search for package or bug name: Reporting problems