NEWS: Mention security bug in storage pool object lookup (CVE-2021-3667)

Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Erik Skultety <eskultet@redhat.com>
2024-10-03 12:55:45 +00:00 · 2021-07-27 14:36:30 +02:00 · 2021-07-27 14:36:30 +02:00 · f379aabc74
commit f379aabc74
parent d26efd8be9
1 changed files with 9 additions and 0 deletions
--- a/NEWS.rst
+++ b/NEWS.rst
@ -11,6 +11,15 @@ For a more fine-grained view, use the `git log`_.
 v7.6.0 (unreleased)
 ===================

+* **Security**
+
+  * storage: Unlock pool objects on ACL check failures in ``storagePoolLookupByTargetPath`` (CVE-2021-3667)
+
+    A logic bug in ``storagePoolLookupByTargetPath`` where the storage pool
+    object was left locked after a failure of the ACL check could potentially
+    deprive legitimate users access to a storage pool object by users who don't
+    have access.
+
 * **New features**

  * qemu: Incremental backup support via ``virDomainBackupBegin``