rpms/libnbd
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update documentation for CVE-2021-20286.

Browse Source
This commit is contained in:
Richard W.M. Jones 2021-03-15 09:26:43 +00:00
parent 4aff44eced
commit 654f8d029d
2 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
0001-security-Document-assignment-of-CVE-2021-20286.patch Normal file
View File

@ -0,0 +1,39 @@
From 40308a005eaa6b2e8f98da8952d0c0cacc51efde Mon Sep 17 00:00:00 2001
From: Eric Blake <eblake@redhat.com>
Date: Fri, 12 Mar 2021 17:00:58 -0600
Subject: [PATCH] security: Document assignment of CVE-2021-20286
Now that we finally have a CVE number, it's time to document
the problem (it's low severity, but still a denial of service).
Fixes: fb4440de9cc7 (opt_go: Tolerate unplanned server death)
---
docs/libnbd-security.pod | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod
index 876ef2f..3c994de 100644
--- a/docs/libnbd-security.pod
+++ b/docs/libnbd-security.pod
@@ -22,6 +22,12 @@ L<https://www.redhat.com/archives/libguestfs/2019-September/msg00128.html>
See the full announcement here:
L<https://www.redhat.com/archives/libguestfs/2019-October/msg00060.html>
+=head2 CVE-2021-20286
+denial of service when using L<nbd_set_opt_mode(3)>
+
+See the full announcement here:
+L<https://listman.redhat.com/archives/libguestfs/2021-March/msg00092.html>
+
=head1 SEE ALSO
L<libnbd(3)>.
@@ -34,4 +40,4 @@ Richard W.M. Jones
=head1 COPYRIGHT
-Copyright (C) 2019 Red Hat Inc.
+Copyright (C) 2019-2021 Red Hat Inc.
--
2.29.0.rc2

8
libnbd.spec
View File

@ -9,7 +9,7 @@
Name: libnbd Name: libnbd
Version: 1.7.3 Version: 1.7.3
Release: 2%{?dist} Release: 3%{?dist}
Summary: NBD client library in userspace Summary: NBD client library in userspace
License: LGPLv2+ License: LGPLv2+
@ -35,6 +35,9 @@ Patch0005: 0005-copy-file-ops.c-Fix-page-eviction-when-len-page_size.patch
# Upstream patch to fix nbdkit test suite. # Upstream patch to fix nbdkit test suite.
Patch0006: 0006-info-Let-exit-status-reflect-any-failures-during-NBD.patch Patch0006: 0006-info-Let-exit-status-reflect-any-failures-during-NBD.patch
# Upstream patch that documents CVE-2021-20286 (already fixed in 1.7.3).
Patch0007: 0001-security-Document-assignment-of-CVE-2021-20286.patch
%if 0%{patches_touch_autotools} %if 0%{patches_touch_autotools}
BuildRequires: autoconf, automake, libtool BuildRequires: autoconf, automake, libtool
%endif %endif
@ -311,6 +314,9 @@ make %{?_smp_mflags} check || {
%changelog %changelog
* Mon Mar 15 2021 Richard W.M. Jones <rjones@redhat.com> - 1.7.3-3
- Update documentation for CVE-2021-20286.
* Thu Mar 4 2021 Richard W.M. Jones <rjones@redhat.com> - 1.7.3-2 * Thu Mar 4 2021 Richard W.M. Jones <rjones@redhat.com> - 1.7.3-2
- Add fix for nbdkit test suite. - Add fix for nbdkit test suite.