Your message dated Fri, 03 Jul 2009 19:54:27 +0000
with message-id <[email protected]>
and subject line Bug#526013: fixed in qemu 0.8.2-4etch3
has caused the Debian Bug report #526013,
regarding qemu: CVE-2008-1945 media handling vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
526013: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526013
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: qemu
Severity: important
Tags: security
Fixed: 0.9.1-5
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for qemu.
CVE-2008-1945[0]:
| QEMU 0.9.0 does not properly handle changes to removable media, which
| allows guest OS users to read arbitrary files on the host OS by using
| the diskformat: parameter in the -usbdevice option to modify the
| disk-image header to identify a different format, a related issue to
| CVE-2008-2004.
This is already fixed in version 0.9.1-5 in unstable. Please
coordinate with the security team ([email protected]) to prepare
packages for the stable releases.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1945
http://security-tracker.debian.net/tracker/CVE-2008-1945
Thanks,
Mike
--- End Message ---
--- Begin Message ---
Source: qemu
Source-Version: 0.8.2-4etch3
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive:
qemu_0.8.2-4etch3.diff.gz
to pool/main/q/qemu/qemu_0.8.2-4etch3.diff.gz
qemu_0.8.2-4etch3.dsc
to pool/main/q/qemu/qemu_0.8.2-4etch3.dsc
qemu_0.8.2-4etch3_i386.deb
to pool/main/q/qemu/qemu_0.8.2-4etch3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <[email protected]> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 03 May 2009 15:38:17 +0200
Source: qemu
Binary: qemu
Architecture: source i386
Version: 0.8.2-4etch3
Distribution: oldstable-security
Urgency: low
Maintainer: Debian QEMU Team <[email protected]>
Changed-By: Aurelien Jarno <[email protected]>
Description:
qemu - fast processor emulator
Closes: 469649 526013
Changes:
qemu (0.8.2-4etch3) oldstable-security; urgency=low
.
* debian/patches/92_security.patch: fix media handling vulnerability
(CVE-2008-1945). Closes: bug#526013.
* debian/patches/93_security.patch: fix privilege escalation.
(CVE-2008-0928). Closes: bug#469649.
Files:
b7d65acdf5cdc3332b3a7a5100c4586d 1122 misc optional qemu_0.8.2-4etch3.dsc
312eebc1386cca2e9b30a40763ab9c0d 1501979 misc optional qemu_0.8.2.orig.tar.gz
9770edb5cd197a444e9daad2f0439823 67363 misc optional qemu_0.8.2-4etch3.diff.gz
cf0babcf03c61381fea0d7f30a06e44f 3676468 misc optional
qemu_0.8.2-4etch3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFJ/yYaXm3vHE4uyloRAiOXAJ9WwlRA4B2fjmPBc57GxRPF6Kch8gCgnq7A
xY1XjJK+DtogeIY6+mQtqEM=
=MCc4
-----END PGP SIGNATURE-----
--- End Message ---
