NEWS: Mention fix for CVE-2024-8235

author Peter Krempa <pkrempa@redhat.com>

Thu, 29 Aug 2024 08:53:25 +0000 (10:53 +0200)

committer Peter Krempa <pkrempa@redhat.com>

Mon, 2 Sep 2024 07:06:34 +0000 (09:06 +0200)
author Peter Krempa <pkrempa@redhat.com>
Thu, 29 Aug 2024 08:53:25 +0000 (10:53 +0200)
committer Peter Krempa <pkrempa@redhat.com>
Mon, 2 Sep 2024 07:06:34 +0000 (09:06 +0200)
diff --git a/NEWS.rst b/NEWS.rst

index 9234e7059062b21fe2e30bc1fe88784f2648cafe..755f51d5b753f5fa29247f3df3a54ad86923c946 100644 (file)
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -13,6 +13,18 @@ v10.7.0 (unreleased)
  
  * **Security**
  
+  * CVE-2024-8235: Crash of ``virtinterfaced`` via ``virConnectListInterfaces()``
+
+    A refactor of the code fetching the list of interfaces for multiple APIs
+    introduced corner case on platforms where allocating 0 bytes of memory
+    results in a NULL pointer.
+
+    This corner case would lead to a NULL-pointer dereference and subsequent
+    crash of ``virtinterfaced`` if ``virConnectListInterfaces()`` is called
+    requesting 0 networks to be filled.
+
+    The bug was introduced in libvirt-10.4.0
+
  * **Removed features**
  
  * **New features**
author	Peter Krempa <pkrempa@redhat.com>
	Thu, 29 Aug 2024 08:53:25 +0000 (10:53 +0200)
committer	Peter Krempa <pkrempa@redhat.com>
	Mon, 2 Sep 2024 07:06:34 +0000 (09:06 +0200)