[Libguestfs] Re: [libnbd PATCH] uri: Sanitize user-provided hostnames
On Thu, Oct 23, 2025 at 11:27:23AM +0100, Richard W.M. Jones via Libguestfs wrote:
We'll need to do a bit of coordination here:
- We will need to backport the change to libnbd 1.22. Because the
code changed substantially, the backport is effectively a new
patch.
Done. In summary:
* libnbd 1.23 (development branch)
- Fixed in libnbd 1.23.9
- Tarball available here:
https://download.libguestfs.org/libnbd/1.23-development/
- Upstream fix:
https://gitlab.com/nbdkit/libnbd/-/commit/fffd87a3ba216cf2f9c212e5db96b13...
* libnbd 1.22 (stable branch)
- Fixed in libnbd 1.22.5
- Tarball available here:
https://download.libguestfs.org/libnbd/1.22-stable/
- Upstream fix:
https://gitlab.com/nbdkit/libnbd/-/commit/f461fe64d21fe8a6d32b56ccb50d064...
https://gitlab.com/nbdkit/libnbd/-/commit/00181d26a4d891e2d7acdd0a309fbf2...
* older branches of libnbd
- Not affected
- Fedora will need to be updated <= I will do this when it goes
upstream
Done.
- Other Linux distro maintainers need to be notified <= I will do
this now
Done.
- RHEL will have to be updated, but I believe we're waiting on
the
decision of whether this is a CVE before we can do that.
Pending.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org