Product SiteDocumentation Site

1.127.  libvirt

1.127.1.  RHSA-2009:0382: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:0382
Updated libvirt packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
libvirt is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. libvirt also provides tools for remotely managing virtualized systems.
The libvirtd daemon was discovered to not properly check user connection permissions before performing certain privileged actions, such as requesting migration of an unprivileged guest domain to another system. A local user able to establish a read-only connection to libvirtd could use this flaw to perform actions that should be restricted to read-write connections. (CVE-2008-5086)
libvirt_proxy, a setuid helper application allowing non-privileged users to communicate with the hypervisor, was discovered to not properly validate user requests. Local users could use this flaw to cause a stack-based buffer overflow in libvirt_proxy, possibly allowing them to run arbitrary code with root privileges. (CVE-2009-0036)
All users are advised to upgrade to these updated packages, which contain backported patches which resolve these issues. After installing the update, libvirtd must be restarted manually (for example, by issuing a "service libvirtd restart" command) for this change to take effect.

1.127.2.  RHEA-2009:1269: bug fix and enhancement update

Updated libvirt packages that upgrade the libvirt library to upstream version 0.6.3, add KVM hypervisor and PCI pass-through support, and fix a number of bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remotely managing virtualized systems.
These updated packages upgrade the libvirt library for Red Hat Enterprise Linux 5 to upstream version 0.6.3, which contains a large number of enhancements and bug fixes over the previous version. Importantly, with this libvirt update, Red Hat Enterprise Linux 5.4 is the first release to provide support for the KVM hypervisor. Also present in this update are PCI pass-through ability and PCI hot plug support. See the "enhancements" section below for details.(BZ#475821)
For a more complete list of changes and bug fixes in libvirt releases, refer to http://libvirt.org/news.html
These updated packages fix the following notable bugs:
  • the "virsh" and "xm" commands passed incorrectly passed the option "type=vbd" when either attaching or detaching TAP devices, which caused the command to fail. With this update, the correct type, "type=tap", is passed when TAP devices are attached or detached. (BZ#475791)
  • attempting to create a domain on a node using an iSCSI volume pool managed by libvirt failed with this error message:
    libvir: Remote error : socket closed unexpectedly
    error: Failed to create domain from create_guest.xml
    
    This has been fixed in these updated packages so that creating guests on an iSCSI volume pool succeeds as expected. (BZ#483310)
  • the "virsh" and "xm" commands passed incorrectly passed the option "type=vbd" when either attaching or detaching TAP devices, which caused the command to fail. With this update, the correct type, "type=tap", is passed when TAP devices are attached or detached. (BZ#483835)
  • occasionally, libvirt lost track of running domains, the command "virsh list" did not list those domains, and pid files still existed for the processes representing those domains. A fix to the libvirt event loop now ensures that libvirt is able to keep track of all running domains on the host. (BZ#499250)
  • due to a domain ID-handling error, the command "virsh destroy [domain-id]" could potentially terminate domains with IDs similar to the target. This has been corrected so that "virsh destroy [domain-id]" terminates only the target domain. (BZ#500158)
  • running the command "virsh dominfo [domain-id]" to acquire information about a running Xen domain resulted in this error message:
    error: this function is not supported by the hypervisor: virNodeGetSecurityModel
    
    This update fixes the dominfo subcommand so that it does not return an error message if the security model API is unimplemented. (BZ#506688)
  • right-clicking on a running domain in the virt-manager application and then choosing Shutdown -> Force Off incorrectly caused that domain ID to disappear from the virt-manager list of VMs. In addition, domains created with the virt-manager or virt-install applications were not listed in the GUI window until virt-manager was restarted or the newly-created guest was started. This issue was related to inotify support and has been fixed in these updated packages. (BZ#508278)
In addition, these updated packages provide the following enhancements:
  • PCI pass-through is a virtualization-related ability that is enabled by AMD's IOMMU and Intel's VT-d technologies. With PCI pass-through, PCI devices can be "passed through" the hypervisor (that is, bypassing it and locking it out) to an unprivileged domain, thereby allowing near-native performance of hardware devices, such as network cards, in guest domains. With this update, PCI pass-through is enabled for both Xen and KVM virtual machines. (BZ#471156 , BZ#513317 , BZ#496925 , BZ#481757 , BZ#481747)
Users are advised to upgrade to these updated libvirt packages, which resolve these issues and add these enhancements.

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.