Your message dated Sun, 14 Feb 2021 16:06:27 +0000
with message-id <[email protected]>
and subject line Bug#980814: fixed in qemu 1:5.2+dfsg-5
has caused the Debian Bug report #980814,
regarding qemu: CVE-2020-35517
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
980814: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980814
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: qemu
Version: 1:5.2+dfsg-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for qemu, filling it with RC
severity due to the privilege escalation potential (it affects only
the version for bullseye and sid). I might oversee something, so just
beeing on the safe side here.

CVE-2020-35517[0]:
| virtiofsd: potential privileged host device access from guest

Patch TTBOMK not yet applied upstream.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-35517
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35517
[1] https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg05461.html
[2] https://www.openwall.com/lists/oss-security/2021/01/22/1

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: qemu
Source-Version: 1:5.2+dfsg-5
Done: Michael Tokarev <[email protected]>

We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated qemu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 14 Feb 2021 17:44:06 +0300
Source: qemu
Architecture: source
Version: 1:5.2+dfsg-5
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 980814
Changes:
 qemu (1:5.2+dfsg-5) unstable; urgency=medium
 .
   * d/rules: ensure b/ subdir exists before building palcode and qboot
   * d/changelog: #959530 is not fixed by 5.2+dfsg-4
   * 3 virtiofsd patches Closes: #980814, CVE-2020-35517
     virtiofsd: potential privileged host device access from guest
     - virtiofsd-extract-lo_do_open-from-lo_open.patch
     - virtiofsd-optionally-return-inode-pointer-from-lo_do_lookup.patch
     - virtiofsd-prevent-opening-of-special-files-CVE-2020-35517.patch
Checksums-Sha1:
 74f3d355225360cfb6ba9fae585feba27f541e82 6600 qemu_5.2+dfsg-5.dsc
 0c3f46e1605eb548d67c05c8019db93a7e8fc4f7 103504 qemu_5.2+dfsg-5.debian.tar.xz
 331c13d7de7c39efcdff71dddce9757b30685ad2 9102 qemu_5.2+dfsg-5_source.buildinfo
Checksums-Sha256:
 034f8dde90468fc9486f04140ee4f86718012846899d27d0a19797ed6ab475b1 6600 
qemu_5.2+dfsg-5.dsc
 83ca13e28c9f83c969602d5821f218ac89c636c4f76ed01817eb452a446fed18 103504 
qemu_5.2+dfsg-5.debian.tar.xz
 6664936e6a4793d4cb78b48af9762185bf448037d2a48217aacd7c02bd62b410 9102 
qemu_5.2+dfsg-5_source.buildinfo
Files:
 b7d48598787d538ec5c5cc5b1c49bbe4 6600 otherosfs optional qemu_5.2+dfsg-5.dsc
 faccaaefcb84beb7b8d0ad07d986de94 103504 otherosfs optional 
qemu_5.2+dfsg-5.debian.tar.xz
 8038b87227491772b31a7396f49782c8 9102 otherosfs optional 
qemu_5.2+dfsg-5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAmApRjwPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZrLgH/34tgvNxSBxKm9VKkZixnU6jHj7o4Tykrodf
k6isHNYgmdpW9LK7O8LIjsj3gzVhCEo21+dwluZyMtn0hq1VBNOJzlf24HPC3Kr8
95t3zr1zqfM2ahrAZ+YTUNxfMSq2SVitozGdzfR8qicR0hBNMTUxgQj+1eWvEVd1
XG9xWnQKROQOBfh2lbY5gpjyHHkyfmq0mAoiF/gAIBVCl23deRVUXD2U8ld3tJRc
e1QIY/pErHhvkvYnKhTLnIRKY/yX8yUBepBv965ova2IFJRqU/MPPIyi5EkkdS86
4IdTVNyoKO7Hpai+rhFDQpr+si6cpgelSck8mEhxGcO3jCTdr6k=
=w0GY
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to