[Openstack-operators] Venom vulnerability

Tim Bell Tim.Bell at cern.ch
Tue Jun 2 09:34:42 UTC 2015


I had understood that CentOS 7.1 qemu-kvm has RBD support built-in. It was not there on 7.0 but http://tracker.ceph.com/issues/10480 implies it is in 7.1.

You could check on the centos mailing lists to be sure.

Tim

From: Cynthia Lopes [mailto:clsacramento at gmail.com]
Sent: 02 June 2015 10:57
To: Sławek Kapłoński
Cc: openstack-operators at lists.openstack.org
Subject: Re: [Openstack-operators] Venom vulnerability

Hi guys,

I had to recompile qemu-kvm on CentOS7 to enable RBD and be able to use CEPH.
Now, what is the best to update for venom vulnerability?
Has anyone already recompiled the patched sources and put it in a repository, or the only way is to get the knew sources and recompile again ?
In http://vault.centos.org/ les sources don't seen to have been updated yet, where will I find them to recompile if it is the way to go?

Thanks a lot!

Regards,
Cynthia

2015-05-14 23:45 GMT+02:00 Sławek Kapłoński <slawek at kaplonski.pl<mailto:slawek at kaplonski.pl>>:
Hello,

Ok, thx for explanations :) Yep, I know that best is to restart qemu
process but this makes that I can now sleep littlebit more peacefully :)

--
Best regards / Pozdrawiam
Sławek Kapłoński
slawek at kaplonski.pl<mailto:slawek at kaplonski.pl>
On Thu, May 14, 2015 at 05:38:56PM -0400, Favyen Bastani wrote:
> On 05/14/2015 05:23 PM, Sławek Kapłoński wrote:
> > Hello,
> >
> > So if I understand You correct, it is not so dangeorus if I'm using
> > ibvirt with apparmor and this libvirt is adding apparmor rules for
> > every qemu process, yes?
> >
> >
>
> You should certainly verify that apparmor rules are enabled for the qemu
> processes.
>
> Apparmor reduces the danger of the vulnerability. However, if you are
> assuming that virtual machines are untrusted, then you should also
> assume that an attacker can execute whatever operations permitted by the
> apparmor rules (mostly built based on abstraction usually at
> /etc/apparmor.d/libvirt-qemu); so you should check that you have
> reasonable limits on those permissions. Best is to restart the processes
> by way of live migration or otherwise.
>
> Best,
> Favyen

_______________________________________________
OpenStack-operators mailing list
OpenStack-operators at lists.openstack.org<mailto:OpenStack-operators at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150602/096efe68/attachment.html>


More information about the OpenStack-operators mailing list