[PATCH 2/3] NEWS: Mention security bug in storage pool object lookup (CVE-2021-3667)
Peter Krempa
pkrempa at redhat.com
Tue Jul 27 12:48:41 UTC 2021
Signed-off-by: Peter Krempa <pkrempa at redhat.com>
---
NEWS.rst | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/NEWS.rst b/NEWS.rst
index 37f3c48d88..d791b34efb 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -11,6 +11,15 @@ For a more fine-grained view, use the `git log`_.
v7.6.0 (unreleased)
===================
+* **Security**
+
+ * storage: Unlock pool objects on ACL check failures in ``storagePoolLookupByTargetPath`` (CVE-2021-3667)
+
+ A logic bug in ``storagePoolLookupByTargetPath`` where the storage pool
+ object was left locked after a failure of the ACL check could potentially
+ deprive legitimate users access to a storage pool object by users who don't
+ have access.
+
* **New features**
* qemu: Incremental backup support via ``virDomainBackupBegin``
--
2.31.1
More information about the libvir-list
mailing list