CVE-2019-20485

Priority
Description
qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a
monitor job during a query to a guest agent, which allows attackers to
cause a denial of service (API blockage).
Notes
mdeslaurit appears this CVE is only for the suspend job because it is
the only one that doesn't require write permissions
intrusive backport to bionic and earlier due to lack of
qemuDomainAgentJob
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 20.04 LTS (Focal Fossa):not-affected (6.0.0-0ubuntu4)
Ubuntu 20.10 (Groovy Gorilla):not-affected (6.0.0-0ubuntu4)
Patches:
Upstream:https://libvirt.org/git/?p=libvirt.git;a=commit;h=cc1d1dbbd5fa18876a5ca8ac99a991b32ad49409 (bp)
Upstream:https://libvirt.org/git/?p=libvirt.git;a=commit;h=a663a860819287e041c3de672aad1d8543098ecc
More Information

Updated: 2020-09-09 23:08:26 UTC (commit b67d7d8b03f173f825cd706df5bd078bca500b0e)