From 4f96c62322762d5dbe87c383534c399f9a18e5f5 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 8 Aug 2020 17:19:52 +0200
Subject: Update status for CVE-2020-15708/libvirt

---
 data/CVE/2020.list | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/data/CVE/2020.list b/data/CVE/2020.list
index 6e2374cf60..7dcbcaf5b9 100644
--- a/data/CVE/2020.list
+++ b/data/CVE/2020.list
@@ -3618,9 +3618,14 @@ CVE-2020-15709
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286
 CVE-2020-15708 [incorrect permissions on the UNIX domain socket allows local attacker to escalate privileges]
 	RESERVED
-	- libvirt <undetermined>
+	- libvirt <not-affected> (Ubuntu specific issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1866270#c2
-	TODO: check if affects Debian packaging when using libvirtd.socket, similarly as the Ubuntu one
+	NOTE: Debian used to use polkit in 1.2.9-rc1-1 and only later on
+	NOTE: enabled as well libvirtd socket activation. Ubuntu OTOH continued
+	NOTE: to ship the Allow-libvirt-group-to-access-the-socket.patch patch
+	NOTE: which caused the CVE-2020-15708 issue.
+	NOTE: Upstream improved documentation in with:
+	NOTE: https://www.redhat.com/archives/libvir-list/2020-August/msg00360.html
 CVE-2020-15707 (Integer overflows were discovered in the functions grub_cmd_initrd and ...)
 	{DSA-4735-1}
 	- grub2 2.04-9
-- 
cgit v1.2.3