news: Document recent CVE fix

Document the fix of leaking /dev/mapper/control to QEMU (fixed in v6.6.0-rc1-3-g2249455654). Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2024-07-06 09:55:46 +00:00 · 2020-07-27 09:53:24 +02:00 · 2020-07-27 09:53:24 +02:00 · 957107184f
commit 957107184f
parent 0e6dcc2f52
1 changed files with 7 additions and 0 deletions
--- a/NEWS.rst
+++ b/NEWS.rst
@ -33,6 +33,13 @@ v6.6.0 (unreleased)

 * **Bug fixes**

+  * virdevmapper: Don't use libdevmapper to obtain dependencies
+
+    When building domain's private ``/dev`` in a namespace, libdevmapper was
+    consulted for getting full dependency tree of domain's disks. However, this
+    meant that libdevmapper opened ``/dev/mapper/control`` which wasn't closed
+    and was leaked to QEMU. CVE-2020-14339
+

 v6.5.0 (2020-07-03)
 ===================