BLSA-2018:0020 – [重要] libvirt安全更新



  • 问题描述

    libvirt库包含一个CAPI,用于管理和交互Linux和其他操作系统的虚拟化功能。另外,libvirt还提供了用于远程管理虚拟化系统的工具。

    在现代许多微处理器设计中,都实现了负载和存储指令的推测执行(通常使用的性能优化),这是一个全行业的问题。它依赖于特权代码中精确定义的指令序列,以及可以从最近的内存写入地址中读取旧的数据,并随后导致微处理器高速更新缓存数据,即使是未真正提交的指令。因此,一个无特权攻击者可以通过执行有针对性的高速缓存侧通道攻击来使用该缺陷来读取特权内存。 (CVE-2018-3639)

    注意:这是libvirt关于CVE-2018-3639漏洞的缓解方案。

    影响版本

    • BigCloud Enterprise Linux 7.3
    • BigCloud Enterprise Linux 7.2
    • Red Hat Enterprise Linux 7.3
    • Red Hat Enterprise Linux 7.2
    • CentOS Linux 7.3
    • CentOS Linux 7.2

    详细介绍

    安全修复

    [CVE-2018-3639 [重要]]

    解决方案

    目前,BCLinux 的官方源已经提供 libvirt 的更新软件包,受影响的 BCLinux 7.2 客户端用户需要升级到 libvirt-1.2.17-13.el7_2.8.x86_64 版本,受影响的 BCLinux 7.3 客户端用户需要升级到 libvirt-2.0.0-10.el7_3.12.x86_64 版本。

    1.检查YUM源设置,确保使用的是 BCLinux 官方YUM源

    [root@BCLinux7 ~]# ls -l /etc/yum.repos.d/
    total 24
    -rw-r--r--. 1 root root  970 Mar 29 04:26 BCLinux-Base.repo
    -rw-r--r--. 1 root root 1512 Apr  9  2017 BCLinux-CR.repo
    -rw-r--r--. 1 root root  676 Apr  9  2017 BCLinux-Debuginfo.repo
    -rw-r--r--. 1 root root 1220 Apr  9  2017 BCLinux-Kernel.repo
    -rw-r--r--. 1 root root 1027 Apr  9  2017 BCLinux-Source.repo
    -rw-r--r--. 1 root root  807 Apr  9  2017 BigCloud.repo
    
    

    2.安装更新

    7.2 升级示例

    [root@BCLinux7_2 ~]# yum update libvirt
    Loaded plugins: fastestmirror, langpacks
    Loading mirror speeds from cached hostfile
    Resolving Dependencies
    --> Running transaction check
    ---> Package libvirt.x86_64 0:1.2.17-13.el7 will be updated
    ---> Package libvirt.x86_64 0:1.2.17-13.el7_2.8 will be an update
    --> Processing Dependency: libvirt-daemon-driver-storage = 1.2.17-13.el7_2.8 for package: libvirt-1.2.17-13.el7_2.8.x86_64
    --> Processing Dependency: libvirt-daemon-driver-secret = 1.2.17-13.el7_2.8 for package: libvirt-1.2.17-13.el7_2.8.x86_64
    --> Processing Dependency: libvirt-daemon-driver-qemu = 1.2.17-13.el7_2.8 for package: libvirt-1.2.17-13.el7_2.8.x86_64
    --> Processing Dependency: libvirt-daemon-driver-nwfilter = 1.2.17-13.el7_2.8 for package: libvirt-1.2.17-13.el7_2.8.x86_64
    --> Processing Dependency: libvirt-daemon-driver-nodedev = 1.2.17-13.el7_2.8 for package: libvirt-1.2.17-13.el7_2.8.x86_64
    --> Processing Dependency: libvirt-daemon-driver-network = 1.2.17-13.el7_2.8 for package: libvirt-1.2.17-13.el7_2.8.x86_64
    --> Processing Dependency: libvirt-daemon-driver-lxc = 1.2.17-13.el7_2.8 for package: libvirt-1.2.17-13.el7_2.8.x86_64
    --> Processing Dependency: libvirt-daemon-driver-interface = 1.2.17-13.el7_2.8 for package: libvirt-1.2.17-13.el7_2.8.x86_64
    --> Processing Dependency: libvirt-daemon-config-nwfilter = 1.2.17-13.el7_2.8 for package: libvirt-1.2.17-13.el7_2.8.x86_64
    --> Processing Dependency: libvirt-daemon-config-network = 1.2.17-13.el7_2.8 for package: libvirt-1.2.17-13.el7_2.8.x86_64
    --> Processing Dependency: libvirt-daemon = 1.2.17-13.el7_2.8 for package: libvirt-1.2.17-13.el7_2.8.x86_64
    --> Processing Dependency: libvirt-client = 1.2.17-13.el7_2.8 for package: libvirt-1.2.17-13.el7_2.8.x86_64
    --> Running transaction check
    ---> Package libvirt-client.x86_64 0:1.2.17-13.el7 will be updated
    ---> Package libvirt-client.x86_64 0:1.2.17-13.el7_2.8 will be an update
    ---> Package libvirt-daemon.x86_64 0:1.2.17-13.el7 will be updated
    --> Processing Dependency: libvirt-daemon = 1.2.17-13.el7 for package: libvirt-daemon-kvm-1.2.17-13.el7.x86_64
    ---> Package libvirt-daemon.x86_64 0:1.2.17-13.el7_2.8 will be an update
    ---> Package libvirt-daemon-config-network.x86_64 0:1.2.17-13.el7 will be updated
    ---> Package libvirt-daemon-config-network.x86_64 0:1.2.17-13.el7_2.8 will be an update
    ---> Package libvirt-daemon-config-nwfilter.x86_64 0:1.2.17-13.el7 will be updated
    ---> Package libvirt-daemon-config-nwfilter.x86_64 0:1.2.17-13.el7_2.8 will be an update
    ---> Package libvirt-daemon-driver-interface.x86_64 0:1.2.17-13.el7 will be updated
    ---> Package libvirt-daemon-driver-interface.x86_64 0:1.2.17-13.el7_2.8 will be an update
    ---> Package libvirt-daemon-driver-lxc.x86_64 0:1.2.17-13.el7 will be updated
    ---> Package libvirt-daemon-driver-lxc.x86_64 0:1.2.17-13.el7_2.8 will be an update
    ---> Package libvirt-daemon-driver-network.x86_64 0:1.2.17-13.el7 will be updated
    ---> Package libvirt-daemon-driver-network.x86_64 0:1.2.17-13.el7_2.8 will be an update
    ---> Package libvirt-daemon-driver-nodedev.x86_64 0:1.2.17-13.el7 will be updated
    ---> Package libvirt-daemon-driver-nodedev.x86_64 0:1.2.17-13.el7_2.8 will be an update
    ---> Package libvirt-daemon-driver-nwfilter.x86_64 0:1.2.17-13.el7 will be updated
    ---> Package libvirt-daemon-driver-nwfilter.x86_64 0:1.2.17-13.el7_2.8 will be an update
    ---> Package libvirt-daemon-driver-qemu.x86_64 0:1.2.17-13.el7 will be updated
    ---> Package libvirt-daemon-driver-qemu.x86_64 0:1.2.17-13.el7_2.8 will be an update
    ---> Package libvirt-daemon-driver-secret.x86_64 0:1.2.17-13.el7 will be updated
    ---> Package libvirt-daemon-driver-secret.x86_64 0:1.2.17-13.el7_2.8 will be an update
    ---> Package libvirt-daemon-driver-storage.x86_64 0:1.2.17-13.el7 will be updated
    ---> Package libvirt-daemon-driver-storage.x86_64 0:1.2.17-13.el7_2.8 will be an update
    --> Running transaction check
    ---> Package libvirt-daemon-kvm.x86_64 0:1.2.17-13.el7 will be updated
    ---> Package libvirt-daemon-kvm.x86_64 0:1.2.17-13.el7_2.8 will be an update
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ==============================================================================================================================================================================================================================================================================
     Package                                                                          Arch                                                    Version                                                              Repository                                                Size
    ==============================================================================================================================================================================================================================================================================
    Updating:
     libvirt                                                                          x86_64                                                  1.2.17-13.el7_2.8                                                    updates                                                  120 k
    Updating for dependencies:
     libvirt-client                                                                   x86_64                                                  1.2.17-13.el7_2.8                                                    updates                                                  4.3 M
     libvirt-daemon                                                                   x86_64                                                  1.2.17-13.el7_2.8                                                    updates                                                  586 k
     libvirt-daemon-config-network                                                    x86_64                                                  1.2.17-13.el7_2.8                                                    updates                                                  121 k
     libvirt-daemon-config-nwfilter                                                   x86_64                                                  1.2.17-13.el7_2.8                                                    updates                                                  123 k
     libvirt-daemon-driver-interface                                                  x86_64                                                  1.2.17-13.el7_2.8                                                    updates                                                  163 k
     libvirt-daemon-driver-lxc                                                        x86_64                                                  1.2.17-13.el7_2.8                                                    updates                                                  749 k
     libvirt-daemon-driver-network                                                    x86_64                                                  1.2.17-13.el7_2.8                                                    updates                                                  304 k
     libvirt-daemon-driver-nodedev                                                    x86_64                                                  1.2.17-13.el7_2.8                                                    updates                                                  162 k
     libvirt-daemon-driver-nwfilter                                                   x86_64                                                  1.2.17-13.el7_2.8                                                    updates                                                  186 k
     libvirt-daemon-driver-qemu                                                       x86_64                                                  1.2.17-13.el7_2.8                                                    updates                                                  572 k
     libvirt-daemon-driver-secret                                                     x86_64                                                  1.2.17-13.el7_2.8                                                    updates                                                  156 k
     libvirt-daemon-driver-storage                                                    x86_64                                                  1.2.17-13.el7_2.8                                                    updates                                                  329 k
     libvirt-daemon-kvm                                                               x86_64                                                  1.2.17-13.el7_2.8                                                    updates                                                  119 k
    
    Transaction Summary
    ==============================================================================================================================================================================================================================================================================
    Upgrade  1 Package (+13 Dependent packages)
    
    Total download size: 7.9 M
    Is this ok [y/d/N]: 
    
    

    7.3 升级示例

    [root@BCLinux7_3 ~]# yum update libvirt
    Loaded plugins: fastestmirror, langpacks
    Loading mirror speeds from cached hostfile
    Resolving Dependencies
    --> Running transaction check
    ---> Package libvirt.x86_64 0:2.0.0-10.el7 will be updated
    ---> Package libvirt.x86_64 0:2.0.0-10.el7_3.12 will be an update
    --> Processing Dependency: libvirt-daemon-driver-storage = 2.0.0-10.el7_3.12 for package: libvirt-2.0.0-10.el7_3.12.x86_64
    --> Processing Dependency: libvirt-daemon-driver-secret = 2.0.0-10.el7_3.12 for package: libvirt-2.0.0-10.el7_3.12.x86_64
    --> Processing Dependency: libvirt-daemon-driver-qemu = 2.0.0-10.el7_3.12 for package: libvirt-2.0.0-10.el7_3.12.x86_64
    --> Processing Dependency: libvirt-daemon-driver-nwfilter = 2.0.0-10.el7_3.12 for package: libvirt-2.0.0-10.el7_3.12.x86_64
    --> Processing Dependency: libvirt-daemon-driver-nodedev = 2.0.0-10.el7_3.12 for package: libvirt-2.0.0-10.el7_3.12.x86_64
    --> Processing Dependency: libvirt-daemon-driver-network = 2.0.0-10.el7_3.12 for package: libvirt-2.0.0-10.el7_3.12.x86_64
    --> Processing Dependency: libvirt-daemon-driver-lxc = 2.0.0-10.el7_3.12 for package: libvirt-2.0.0-10.el7_3.12.x86_64
    --> Processing Dependency: libvirt-daemon-driver-interface = 2.0.0-10.el7_3.12 for package: libvirt-2.0.0-10.el7_3.12.x86_64
    --> Processing Dependency: libvirt-daemon-config-nwfilter = 2.0.0-10.el7_3.12 for package: libvirt-2.0.0-10.el7_3.12.x86_64
    --> Processing Dependency: libvirt-daemon-config-network = 2.0.0-10.el7_3.12 for package: libvirt-2.0.0-10.el7_3.12.x86_64
    --> Processing Dependency: libvirt-daemon = 2.0.0-10.el7_3.12 for package: libvirt-2.0.0-10.el7_3.12.x86_64
    --> Processing Dependency: libvirt-client = 2.0.0-10.el7_3.12 for package: libvirt-2.0.0-10.el7_3.12.x86_64
    --> Running transaction check
    ---> Package libvirt-client.x86_64 0:2.0.0-10.el7 will be updated
    ---> Package libvirt-client.x86_64 0:2.0.0-10.el7_3.12 will be an update
    ---> Package libvirt-daemon.x86_64 0:2.0.0-10.el7 will be updated
    --> Processing Dependency: libvirt-daemon = 2.0.0-10.el7 for package: libvirt-daemon-kvm-2.0.0-10.el7.x86_64
    ---> Package libvirt-daemon.x86_64 0:2.0.0-10.el7_3.12 will be an update
    ---> Package libvirt-daemon-config-network.x86_64 0:2.0.0-10.el7 will be updated
    ---> Package libvirt-daemon-config-network.x86_64 0:2.0.0-10.el7_3.12 will be an update
    ---> Package libvirt-daemon-config-nwfilter.x86_64 0:2.0.0-10.el7 will be updated
    ---> Package libvirt-daemon-config-nwfilter.x86_64 0:2.0.0-10.el7_3.12 will be an update
    ---> Package libvirt-daemon-driver-interface.x86_64 0:2.0.0-10.el7 will be updated
    ---> Package libvirt-daemon-driver-interface.x86_64 0:2.0.0-10.el7_3.12 will be an update
    ---> Package libvirt-daemon-driver-lxc.x86_64 0:2.0.0-10.el7 will be updated
    ---> Package libvirt-daemon-driver-lxc.x86_64 0:2.0.0-10.el7_3.12 will be an update
    ---> Package libvirt-daemon-driver-network.x86_64 0:2.0.0-10.el7 will be updated
    ---> Package libvirt-daemon-driver-network.x86_64 0:2.0.0-10.el7_3.12 will be an update
    ---> Package libvirt-daemon-driver-nodedev.x86_64 0:2.0.0-10.el7 will be updated
    ---> Package libvirt-daemon-driver-nodedev.x86_64 0:2.0.0-10.el7_3.12 will be an update
    ---> Package libvirt-daemon-driver-nwfilter.x86_64 0:2.0.0-10.el7 will be updated
    ---> Package libvirt-daemon-driver-nwfilter.x86_64 0:2.0.0-10.el7_3.12 will be an update
    ---> Package libvirt-daemon-driver-qemu.x86_64 0:2.0.0-10.el7 will be updated
    ---> Package libvirt-daemon-driver-qemu.x86_64 0:2.0.0-10.el7_3.12 will be an update
    ---> Package libvirt-daemon-driver-secret.x86_64 0:2.0.0-10.el7 will be updated
    ---> Package libvirt-daemon-driver-secret.x86_64 0:2.0.0-10.el7_3.12 will be an update
    ---> Package libvirt-daemon-driver-storage.x86_64 0:2.0.0-10.el7 will be updated
    ---> Package libvirt-daemon-driver-storage.x86_64 0:2.0.0-10.el7_3.12 will be an update
    --> Running transaction check
    ---> Package libvirt-daemon-kvm.x86_64 0:2.0.0-10.el7 will be updated
    ---> Package libvirt-daemon-kvm.x86_64 0:2.0.0-10.el7_3.12 will be an update
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ==============================================================================================================================================================================================================================================================================
     Package                                                                          Arch                                                    Version                                                              Repository                                                Size
    ==============================================================================================================================================================================================================================================================================
    Updating:
     libvirt                                                                          x86_64                                                  2.0.0-10.el7_3.12                                                    updates                                                  143 k
    Updating for dependencies:
     libvirt-client                                                                   x86_64                                                  2.0.0-10.el7_3.12                                                    updates                                                  4.3 M
     libvirt-daemon                                                                   x86_64                                                  2.0.0-10.el7_3.12                                                    updates                                                  725 k
     libvirt-daemon-config-network                                                    x86_64                                                  2.0.0-10.el7_3.12                                                    updates                                                  144 k
     libvirt-daemon-config-nwfilter                                                   x86_64                                                  2.0.0-10.el7_3.12                                                    updates                                                  146 k
     libvirt-daemon-driver-interface                                                  x86_64                                                  2.0.0-10.el7_3.12                                                    updates                                                  186 k
     libvirt-daemon-driver-lxc                                                        x86_64                                                  2.0.0-10.el7_3.12                                                    updates                                                  811 k
     libvirt-daemon-driver-network                                                    x86_64                                                  2.0.0-10.el7_3.12                                                    updates                                                  341 k
     libvirt-daemon-driver-nodedev                                                    x86_64                                                  2.0.0-10.el7_3.12                                                    updates                                                  185 k
     libvirt-daemon-driver-nwfilter                                                   x86_64                                                  2.0.0-10.el7_3.12                                                    updates                                                  209 k
     libvirt-daemon-driver-qemu                                                       x86_64                                                  2.0.0-10.el7_3.12                                                    updates                                                  621 k
     libvirt-daemon-driver-secret                                                     x86_64                                                  2.0.0-10.el7_3.12                                                    updates                                                  176 k
     libvirt-daemon-driver-storage                                                    x86_64                                                  2.0.0-10.el7_3.12                                                    updates                                                  380 k
     libvirt-daemon-kvm                                                               x86_64                                                  2.0.0-10.el7_3.12                                                    updates                                                  142 k
    
    Transaction Summary
    ==============================================================================================================================================================================================================================================================================
    Upgrade  1 Package (+13 Dependent packages)
    
    Total download size: 8.4 M
    Is this ok [y/d/N]: 
    
    

    3.复查

    7.2 复查示例

    [root@BCLinux7_2 ~]# rpm -qa|grep libvirt
    libvirt-daemon-driver-network-1.2.17-13.el7_2.8.x86_64
    libvirt-daemon-driver-interface-1.2.17-13.el7_2.8.x86_64
    libvirt-daemon-driver-lxc-1.2.17-13.el7_2.8.x86_64
    libvirt-daemon-1.2.17-13.el7_2.8.x86_64
    libvirt-daemon-driver-nwfilter-1.2.17-13.el7_2.8.x86_64
    libvirt-daemon-driver-storage-1.2.17-13.el7_2.8.x86_64
    libvirt-daemon-driver-secret-1.2.17-13.el7_2.8.x86_64
    libvirt-daemon-config-nwfilter-1.2.17-13.el7_2.8.x86_64
    libvirt-daemon-config-network-1.2.17-13.el7_2.8.x86_64
    libvirt-daemon-kvm-1.2.17-13.el7_2.8.x86_64
    libvirt-client-1.2.17-13.el7_2.8.x86_64
    libvirt-daemon-driver-qemu-1.2.17-13.el7_2.8.x86_64
    libvirt-daemon-driver-nodedev-1.2.17-13.el7_2.8.x86_64
    libvirt-1.2.17-13.el7_2.8.x86_64
    

    7.3 复查示例

    [root@BCLinux7_3 ~]# rpm -qa|grep libvirt
    libvirt-client-2.0.0-10.el7_3.12.x86_64
    libvirt-daemon-driver-storage-2.0.0-10.el7_3.12.x86_64
    libvirt-daemon-driver-nodedev-2.0.0-10.el7_3.12.x86_64
    libvirt-2.0.0-10.el7_3.12.x86_64
    libvirt-daemon-2.0.0-10.el7_3.12.x86_64
    libvirt-daemon-driver-nwfilter-2.0.0-10.el7_3.12.x86_64
    libvirt-daemon-driver-qemu-2.0.0-10.el7_3.12.x86_64
    libvirt-daemon-driver-secret-2.0.0-10.el7_3.12.x86_64
    libvirt-daemon-config-nwfilter-2.0.0-10.el7_3.12.x86_64
    libvirt-daemon-driver-lxc-2.0.0-10.el7_3.12.x86_64
    libvirt-daemon-kvm-2.0.0-10.el7_3.12.x86_64
    libvirt-daemon-driver-network-2.0.0-10.el7_3.12.x86_64
    libvirt-daemon-driver-interface-2.0.0-10.el7_3.12.x86_64
    libvirt-daemon-config-network-2.0.0-10.el7_3.12.x86_64
    

    4.重启服务

    安装升级包以后,重启相关服务方能使更新生效。
    建议在重启之前,联系相关组件的使用者,确认重启的影响。

    外部链接

    1.BCLinux安全更新


登录后回复
 

与 BC-LINUX 的连接断开,我们正在尝试重连,请耐心等待