1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3362-1] qemu-kvm security update

    From Salvatore Bonaccorso@1:229/2 to All on Fri Sep 18 22:20:01 2015
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3362-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso September 18, 2015 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : qemu-kvm
    CVE ID : CVE-2015-5278 CVE-2015-5279 CVE-2015-6815 CVE-2015-6855

    Several vulnerabilities were discovered in qemu-kvm, a full
    virtualization solution on x86 hardware.

    CVE-2015-5278

    Qinghao Tang of QIHU 360 Inc. discovered an infinite loop issue in
    the NE2000 NIC emulation. A privileged guest user could use this
    flaw to mount a denial of service (QEMU process crash).

    CVE-2015-5279

    Qinghao Tang of QIHU 360 Inc. discovered a heap buffer overflow flaw
    in the NE2000 NIC emulation. A privileged guest user could use this
    flaw to mount a denial of service (QEMU process crash), or
    potentially to execute arbitrary code on the host with the
    privileges of the hosting QEMU process.

    CVE-2015-6815

    Qinghao Tang of QIHU 360 Inc. discovered an infinite loop issue in
    the e1000 NIC emulation. A privileged guest user could use this flaw
    to mount a denial of service (QEMU process crash).

    CVE-2015-6855

    Qinghao Tang of QIHU 360 Inc. discovered a flaw in the IDE
    subsystem in QEMU occurring while executing IDE's
    WIN_READ_NATIVE_MAX command to determine the maximum size of a
    drive. A privileged guest user could use this flaw to mount a
    denial of service (QEMU process crash).

    For the oldstable distribution (wheezy), these problems have been fixed
    in version 1.1.2+dfsg-6+deb7u11.

    We recommend that you upgrade your qemu-kvm packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCgAGBQJV/G8LAAoJEAVMuPMTQ89EBW0P/R+Gc/di08JOEyai7DregXfn NDss2LyL4xI2v5VVEhgCYpY3WA8DOi2bc3UqgmzMAEwAhpUTkhtc2NX1wQU/rba1 Lf44lBPPuUKP/nYcz1CSn0xQHTGla7R0qpgYetdLDwSiN4rnHIDreSpSVWXh4R3H NrAf5pIRPmnOGRuNkx907ptZ9SD26we1fcpZaKv43kjnmlmrul1OEgYdrbXw+qQc xT36dZSSxq3bfpiKQFAWwNt/Jp+2CaNysVJyBIGM2PZ1H33IQtwcr0ub06sZOQIU btOgVmICIMXtZF0/OcxusOkS8t097tBM/v+f+WrwG17Y46QomD0gK0f2tYq5MW8U PbWmZem0Lkv+EThTDCay1DR060YhUmaKHG6PHgJMRSAzGK9ElMxHNuJUdjwJQjgI cvfJK0Z6GGhx3x+1BOMNwU877JLlFJhkPVN2CpP8NYNxT0Sk5ripvioUI11p2ZjC IiOgitLApZmI9IQ9AZWulriNf5sMIZyAgyVfebZ1vIjd8M/XQiTdmGkAFgGDodni DNdY4x8/efFRTqfaKC0XnE5m8LO1qX1YwyaCBIM9Ky+e6k2HpbEbrqPdx+HXr+WN WkytBnj7REnQMK0JDC/iU5SvlqVj8OOwKyyEVmtF9rtZIbWWKdE64FKuWhTZPpGB r7Q3etxkoWtKMowCVOrA
    =c8Zw
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)