1. 修复的CVE信息
CVE-2021-3631
描述:libvirt 在为 VM 的动态标签生成 SELinux MCS 类别对时发现了一个漏洞。该漏洞允许一个被利用的访客访问标记为另一个访客的文件,从而突破 sVirt 限制。此漏洞的最大威胁是机密性和完整性。
CVE-2021-3667
描述:在 libvirt 的 virStoragePoolLookupByTargetPath API 中存在不正确的锁定漏洞。它是发生在 storagePoolLookupByTargetPath 函数中,其中锁定的 virStoragePoolObj 对象在 ACL 权限失败时未正确释放。连接到具有有限 ACL 权限的读写套接字的客户端可以使用此缺陷来获取锁并阻止其他用户访问存储池/卷 API,从而导致拒绝服务条件。此漏洞的最大威胁是系统可用性。
2. 影响的操作系统及修复版本
银河麒麟高级服务器操作系统 V10 SP1
libvirt-6.2.0-11.ky10
libvirt-admin-6.2.0-11.ky10
libvirt-bash-completion-6.2.0-11.ky10
libvirt-client-6.2.0-11.ky10
libvirt-daemon-6.2.0-11.ky10
libvirt-daemon-config-network-6.2.0-11.ky10
libvirt-daemon-config-nwfilter-6.2.0-11.ky10
libvirt-daemon-driver-interface-6.2.0-11.ky10
libvirt-daemon-driver-network-6.2.0-11.ky10
libvirt-daemon-driver-nodedev-6.2.0-11.ky10
libvirt-daemon-driver-nwfilter-6.2.0-11.ky10
libvirt-daemon-driver-qemu-6.2.0-11.ky10
libvirt-daemon-driver-secret-6.2.0-11.ky10
libvirt-daemon-driver-storage-6.2.0-11.ky10
libvirt-daemon-driver-storage-core-6.2.0-11.ky10
libvirt-daemon-driver-storage-disk-6.2.0-11.ky10
libvirt-daemon-driver-storage-gluster-6.2.0-11.ky10
libvirt-daemon-driver-storage-iscsi-6.2.0-11.ky10
libvirt-daemon-driver-storage-iscsi-direct-6.2.0-11.ky10
libvirt-daemon-driver-storage-logical-6.2.0-11.ky10
libvirt-daemon-driver-storage-mpath-6.2.0-11.ky10
libvirt-daemon-driver-storage-rbd-6.2.0-11.ky10
libvirt-daemon-driver-storage-scsi-6.2.0-11.ky10
libvirt-daemon-kvm-6.2.0-11.ky10
libvirt-daemon-qemu-6.2.0-11.ky10
libvirt-devel-6.2.0-11.ky10
libvirt-docs-6.2.0-11.ky10
libvirt-libs-6.2.0-11.ky10
libvirt-lock-sanlock-6.2.0-11.ky10
libvirt-nss-6.2.0-11.ky10
libvirt-wireshark-6.2.0-11.ky10
3. 受影响的软件包
银河麒麟高级服务器操作系统 V10 SP1
aarch64:libvirt、libvirt-admin、libvirt-bash-completion、libvirt-client、libvirt-daemon、libvirt-daemon-config-network、libvirt-daemon-config-nwfilter、libvirt-daemon-driver-interface、libvirt-daemon-driver-network、libvirt-daemon-driver-nodedev、libvirt-daemon-driver-nwfilter、libvirt-daemon-driver-qemu、libvirt-daemon-driver-secret、libvirt-daemon-driver-storage、libvirt-daemon-driver-storage-core、libvirt-daemon-driver-storage-disk、libvirt-daemon-driver-storage-gluster、libvirt-daemon-driver-storage-iscsi、libvirt-daemon-driver-storage-iscsi-direct、libvirt-daemon-driver-storage-logical、libvirt-daemon-driver-storage-mpath、libvirt-daemon-driver-storage-rbd、libvirt-daemon-driver-storage-scsi、libvirt-daemon-kvm、libvirt-daemon-qemu、libvirt-devel、libvirt-docs、libvirt-libs、libvirt-lock-sanlock、libvirt-nss、libvirt-wireshark
x86_64:libvirt、libvirt-admin、libvirt-bash-completion、libvirt-client、libvirt-daemon、libvirt-daemon-config-network、libvirt-daemon-config-nwfilter、libvirt-daemon-driver-interface、libvirt-daemon-driver-network、libvirt-daemon-driver-nodedev、libvirt-daemon-driver-nwfilter、libvirt-daemon-driver-qemu、libvirt-daemon-driver-secret、libvirt-daemon-driver-storage、libvirt-daemon-driver-storage-core、libvirt-daemon-driver-storage-disk、libvirt-daemon-driver-storage-gluster、libvirt-daemon-driver-storage-iscsi、libvirt-daemon-driver-storage-iscsi-direct、libvirt-daemon-driver-storage-logical、libvirt-daemon-driver-storage-mpath、libvirt-daemon-driver-storage-rbd、libvirt-daemon-driver-storage-scsi、libvirt-daemon-kvm、libvirt-daemon-qemu、libvirt-devel、libvirt-docs、libvirt-libs、libvirt-lock-sanlock、libvirt-nss、libvirt-wireshark
4. 修复方法
方法一:配置源进行升级安装
1.打开软件包源配置文件,根据仓库地址进行修改。
仓库源地址:
银河麒麟高级服务器操作系统 V10 SP1
aarch64:http://update.cs2c.com.cn:8080/NS/V10/V10SP1.1/os/adv/lic/updates/aarch64/
x86_64:http://update.cs2c.com.cn:8080/NS/V10/V10SP1.1/os/adv/lic/updates/x86_64/
2.配置完成后执行更新命令进行升级,命令如下:yum update Packagename
方法二:下载安装包进行升级安装
通过软件包地址下载软件包,使用软件包升级命令根据受影响的软件包列表进行升级安装,命令如下:yum install Packagename
5. 软件包下载地址
银河麒麟高级服务器操作系统 V10 SP1
libvirt aarch64软件包下载地址:
libvirt x86_64软件包下载地址:
注:其他相关依赖包请到相同目录下载
