Your message dated Sat, 04 Jul 2026 16:32:06 +0000
with message-id <[email protected]>
and subject line Bug#1085299: fixed in qemu 1:10.0.10+ds-0+deb13u1
has caused the Debian Bug report #1085299,
regarding qemu: CVE-2024-6519: lsi53c895a: use-after-free local privilege
escalation vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1085299: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085299
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: qemu
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for qemu.
CVE-2024-6519[0]:
qemu: SCSI: lsi53c895a: use-after-free local privilege escalation vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=2292089
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-6519
https://www.cve.org/CVERecord?id=CVE-2024-6519
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: qemu
Source-Version: 1:10.0.10+ds-0+deb13u1
Done: Michael Tokarev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 11 Jun 2026 09:28:48 +0300
Source: qemu
Architecture: source
Version: 1:10.0.10+ds-0+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian QEMU Team <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1085299 1128478 1129349 1129604 1129605
Changes:
qemu (1:10.0.10+ds-0+deb13u1) trixie; urgency=medium
.
* 10.0.10 upstream stable/bugfix release:
- Update version for 10.0.10 release
- block/graph-lock: fix missed wakeup in bdrv_graph_co_rdunlock()
- block: Add more defaults to DEFAULT_BLOCK_CONF
- block: Create DEFAULT_BLOCK_CONF macro
- ide-test: Test reset during TRIM
- ide-test: Factor out wait_dma_completion()
- ide: Clean up ide_trim_co_entry() to be idiomatic coroutine code
- ide: Minimal fix for deadlock between TRIM and drain
- block: Add flags parameter to blk_*_pdiscard()
- block: Add blk_co_start/end_request() and BDRV_REQ_NO_QUEUE
- blkdebug: Add 'delay-ns' option
- linux-user/sh4: Fix setup_sigtramp to match Linux kernel
trampoline pattern
- linux-user/sh4: Fix target_ucontext tuc_link field type
- linux-user: Fix AT_EXECFN in AUXV for symlinked programs
- hw/nvme: fix admin cq msix setup
- tests/functional/qemu_test/asset.py: Don't use setxattr
when it doesn't exist
- meson.build: Add -fzero-init-padding-bits=all
- hw/i2c/microbit_i2c: Don't index off end of twi_read_sequence[]
- aspeed/hace: Prevent total_req_len overflow
- aspeed/hace: Fix out-of-bounds read in has_padding()
- hw/display/cirrus_vga: Fix packed-24 color-expansion transparent copies
- hw/display/cirrus_vga: Fix packed-24 color-expansion
transparent pattern fills
- hw/ufs: Keep MCQ SQs alive while requests are outstanding
- hw/ufs: Reject zero-depth MCQ queues
- hw/ufs: Guard MCQ CQ accesses against missing queues
- hw/ufs: Validate MCQ SQ references before use
- hw/uefi: check auth.hdr_length minimum size
(Closes: CVE-2026-8341)
- hw/uefi: avoid possibly unaligned variable_auth_2 struct field access
(Closes: CVE-2026-41440)
- hw/uefi: verify data size before accessing it in wrap_pkcs7
(Closes: CVE-2026-41439)
- hw/uefi: add name_size check to uefi_vars_mm_lock_variable()
(Closes: CVE-2026-41438)
- hw/uefi: fix ucs2 string helper functions
(Closes: CVE-2026-41437)
- hw/uefi: verify pio_xfer_offset before calculating buffer checksum
(Closes: CVE-2026-41436)
- hw/uefi: fix buffer overruns
(Closes: CVE-2026-41435)
- hw/misc/bcm2835_rng: Specify valid memory access sizes
- target/arm: Report IL=0 for Thumb 16-bit BKPT insn
- target/microblaze: Fix endianness used to disassemble
- hw/intc/arm_gicv3: Fix NS write to ICC_AP1Rn_EL1 when prebits < 7
- hw/net/allwinner-sun8i-emac: Flush queued packets when rx is enabled
- hw/ppc/e500: fix bus-frequency property hardcoded to zero in CPU FDT node
- hw/ppc/e500: Move clock and TB frequency to machine class
- tests/rcutorture: Fix build error
- hw/intc/xics: Add a check for an invalid server id
- linux-user: Translate errno in IP_RECVERR and IPV6_RECVERR
- linux-user: Allow getsockopt() with NULL optval address
- linux-user: Flush errors by using exit() instead of _exit() in error path
- linux-user: Add missing CDROM ioctls
- target/riscv: Use ELEN for Fractional LMUL check
- target/riscv: Don't OR mip.SEIP when mvien is one
- target/riscv: Generate access fault if sc comparison fails
- riscv_htif: reject invalid signature ranges (end <= begin)
- hw/intc: fix heap OOB in ACLINT MTIMER multi-socket
- target/riscv: fix stale ptshift and base on page walk restart
- hw/riscv/virt-acpi-build.c: Use kvm timer frequency when kvm enabled
- linux-user: Flush errors by using exit() instead of _exit() in error path
- linux-user: Use abi_int for imr_ifindex in ip_mreqn struct
- linux-user: Fix CLONE_PARENT_SETTID when using fork-like clone
- linux-user: Add getsockopt() for SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW
- linux-user: Add setsockopt() for SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW
- linux-user: Define SO_TIMESTAMP*_NEW and SO_RCVTIMEIO_NEW
- linux-user/mips: sync k0 TLS for EF_MIPS_MACH_OCTEON userlands
- linux-user/strace: Use pointer type for read and write values
- linux-user/arm/nwfpe: Use thread-local storage for qemufpa
- linux-user/arm/nwfpe: Replace user_registers with current_cpu
- linux-user: Don't define target_stat64 struct for loongarch64
- linux-user: fix off-by-one in host_to_target_for_each_rtattr()
- linux-user/ppc: Fix ppc64 rt_sigframe stack offset
- hw/sh4/sh7750: Remove forgotten abort() in the MM_ITLB_DATA handler
- hw/misc: Fix the valid access size to the avr-power device
- migration: vmstate_save_state_v: fix double error_setg
- hw/display: don't accidentally autofree existing virgl resources
(Closes: CVE-2026-6502)
- meson: add missing semicolon in pthread_condattr_setclock test
- target/i386/tcg: fix decoding of MOVBE and CRC32 in 16-bit mode
- target/i386: fix missing PF_INSTR in SIGSEGV context
- target/i386: fix strList leak in x86_cpu_get_unavailable_features
- target/arm/tcg/translate.c: remove MO_TE usage
- ui/console-vc: fix off-by-one in CSI J 2 (clear entire screen)
- ui/spice-app: detect runtime directory creation failures
- serial COM: windows serial COM PollingFunc don't sleep
- util/cutils: Fix heap corruption under Windows
- virtio-blk: fix zone report buffer out-of-memory
(Closes: CVE-2026-5761)
- qemu-keymap: fix altgr modifier lookup for newer xkeyboard-config
- hw/uefi: fix heap overflow
(Closes: CVE-2026-5744)
- virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req
and virtio_scsi_handle_cmd_req_prepare
(Closes: CVE-2026-5763)
- util/readline: Fix out-of-bounds access in readline_insert_char()
- target/arm: fix fault_s1ns for stage 2 faults
- target/arm: do_ats_write(): avoid assertion when ptw failed
- bsd-user, linux-user: signal: recursive signal delivery fix
- linux-user: Make openat2() use -L for absolute paths
- linux-user: update select timeout writeback
- linux-user: fix name_to_handle_at when AT_HANDLE_MNT_ID_UNIQUE flag is set
- util: fix missing aio_wait sym in qemu guest agent only build
- monitor: Fix deadlock in monitor_cleanup
- scsi: Don't consider LOGICAL UNIT NOT SUPPORTED guest recoverable
- ide: Fix potential assertion failure on VM stop for PIO read error
- ui/vnc-jobs: fix VncRectEntry leak on job cleanup
- hw/net/rocker: Avoid double-free of l2_flood.group_ids
- lsi53c895a: keep SCSIRequest alive during DMA
- lsi53c895a: keep lsi_request alive as long as the SCSIRequest
- lsi53c895a: keep lsi_request and SCSIRequest in local variables
- lsi53c895a: do not do anything else if a reset is requested
by writing ISTAT0
- lsi53c895a: keep a reference to the device while SCRIPTS execute
(Closes: #1085299, CVE-2024-6519)
- scripts/qemu-guest-agent/fsfreeze-hook: Fix syslog-fallback logic
- scripts/qemu-guest-agent/fsfreeze-hook: Avoid use of PIPESTATUS
- scripts/qemu-guest-agent/fsfreeze-hook: Avoid bash-isms
- hw/nvme: fix heap-buffer-overflow in nvme_abort
- hw/nvme: re-enable wzds bit in namespace dlfeat
- tcg: Pass host-endian values to plugin_gen_mem_callbacks_*
- hw/audio/sb16: validate VMState fields in post_load
- block/curl: free s->password in cleanup paths
- linux-aio: Resubmit tails of short reads/writes
- linux-aio: Put all parameters into qemu_laiocb
- hw/dma/pl080: Fix transfer logic in PL080
- linux-user/i386/signal.c: Correct definition of target_fpstate_32
- hw/ssi/aspeed_smc: Convert mem ops to read/write_with_attrs
for error handling
- hw/net/ftgmac100: Improve DMA error handling
- hw/usb/hcd-ohci: check for MPS=0 to avoid infinite loop
(Closes: CVE-2026-3890)
- rust: suggest passing --locked to "cargo install"
- target/riscv: rvv: Fix page probe issues in vext_ldff
- target/riscv: rvv: Fix missing flags merge in probe_pages
for cross-page accesses
- Expand the probe_pages helper function to handle probe flags
- block: Drop detach_subchain for bdrv_replace_node
- virtio-gpu: fix overflow check when allocating 2d image
(Closes: CVE-2026-3886)
- io: Fix TLS bye task leak
- ppc/pnv: generate dtb after machine initialization is complete
- ppc/pnv: fix dumpdtb option
- block/mirror: fix assertion failure upon duplicate complete
for job using 'replaces'
- throttle-group: Fix race condition in throttle_group_restart_queue()
- target/i386: fix NULL pointer dereference in legacy-cache=off handling
- hw/dma/pl080: Ignore bottom 2 bits of LLI register
- hw/dma/pl080: Update interrupts after pl080_run()
- hw/dma/pl080: Handle bogus swidth and dwidth in transfers
- linux-user: fix mremap with old_size=0 for shared mappings
- linux-user: Fix zero_bss for RX PT_LOAD segments
- hw/net/rtl8319: Work around GCC sanitizer / -Wstringop-overflow bug
.
* 10.0.9 stable/bugfix release:
- Update version for 10.0.9 release
- hyperv/syndbg: check length returned by cpu_physical_memory_map()
(Closes: CVE-2026-3842)
- fuse: Copy write buffer content before polling
- target/loongarch: Avoid recursive PNX exception on CSR_BADI fetch
- target/loongarch: Preserve PTE permission bits in LDPTE
- hw/net/npcm_gmac: Catch accesses off the end of the register array
- linux-user: fix TIOCGSID ioctl
- tests/tcg/multiarch/test-mmap: Check mmaps beyond reserved_va
- bsd-user: Deal with mmap where start > reserved_va
- linux-user: Deal with mmap where start > reserved_va
- hw/net/xilinx_ethlite: Check for oversized TX packets
- virtio-gpu: Ensure BHs are invoked only from main-loop thread
- block/nfs: Do not enter coroutine from CB
- block: Never drop BLOCK_IO_ERROR with action=stop for rate limiting
- block/throttle-groups: fix deadlock with iolimits and muliple iothreads
- mirror: Fix missed dirty bitmap writes during startup
(Closes: #1129349)
- block/curl: fix concurrent completion handling
- block/vmdk: fix OOB read in vmdk_read_extent()
(Closes: #1128478, CVE-2026-2243)
- hw/net/smc91c111: Don't allow negative-length packets
- io: fix cleanup for websock I/O source data on cancellation
- io: fix cleanup for TLS I/O source data on cancellation
- io: separate freeing of tasks from marking them as complete
- target/i386/hvf/x86_mmu: Fix compiler warning
- hw/i386/vmmouse: Fix hypercall clobbers
- tests/docker: upgrade most non-lcitool debian tests to debian 13
- hw/9pfs: fix missing EOPNOTSUPP on Twstat and Trenameat
for fs synth driver
- hw/9pfs: fix data race in v9fs_mark_fids_unreclaim()
- target/arm: set the correct TI bits for WFIT traps
- hw/ssi/xilinx_spips: Reset TX FIFO in reset
- hw/misc/virt_ctrl: Fix incorrect trace event in read operation
- virtio-snd: tighten read amount in in_cb
(Closes: #1129604, CVE-2026-3195)
- virtio-snd: fix max_size bounds check in input cb
(Closes: #1129604, CVE-2026-3195)
- virtio-snd: handle 5.14.6.2 for PCM_INFO properly
(Closes: #1129605, CVE-2026-3196)
- virtio-snd: remove TODO comments
- virtio-gpu-virgl: Add virtio-gpu-virgl-hostmem-region type
(was in virtio-gpu-virgl-Add-virtio-gpu-virgl-hostmem-region.patch)
- target/arm: Fix feature check in DO_SVE2_RRX, DO_SVE2_RRX_TB
- target/arm: Account for SME in aarch64_sve_narrow_vq() assertion
- target/arm: Introduce ARMCPU.sme_max_vq
- hw/i2c/aspeed_i2c: Fix out-of-bounds read in I2C MMIO handlers
- docs/about/emulation: Add documentation for hotblocks plugin arguments
- contrib/plugins/hotblocks: Print uint64_t with PRIu64 rather than PRId64
- contrib/plugins/hotblocks: Fix off by one error in iteration
of sorted blocks
- contrib/plugins/hotblocks: Correctly free sorted counts list
- contrib/plugins: Fix type conflict of GLib function pointers
- python: drop uses of pkg_resources
- plugins: fix cross-build using LLVM for Windows targets
- s390x/pci: Fix endianness for zPCI BAR values
Checksums-Sha1:
6d489125e6cf4c2fd5ee94506bae5b6b6b77c0d2 12560 qemu_10.0.10+ds-0+deb13u1.dsc
fed5a9ddccdf09002a8f26dc442936c6e4b7d09a 39979984 qemu_10.0.10+ds.orig.tar.xz
8ccd8eedcdbed7af6bd49da1f7dec25c05a4826e 148364
qemu_10.0.10+ds-0+deb13u1.debian.tar.xz
41e9f20c4e82591fc5c869c8cdbaffdfa56c5397 8302
qemu_10.0.10+ds-0+deb13u1_source.buildinfo
Checksums-Sha256:
0a3a55cf1c9ab05709708abacc79a50309dbe5f9c711e0d40dd4bf5220d3ae7a 12560
qemu_10.0.10+ds-0+deb13u1.dsc
fdf3f4dd475cd7771db0407556cd98b3adcdc0a3a0cba1b5b93b320f3d1a135e 39979984
qemu_10.0.10+ds.orig.tar.xz
9f6ab62c7f079e62571ebffada243c95ca042b56a9535e90508bf76fff116c24 148364
qemu_10.0.10+ds-0+deb13u1.debian.tar.xz
d083764143a64b95aaa9cf9b78e63d09e4608d182c8dcf4132e0cc025c7f2e20 8302
qemu_10.0.10+ds-0+deb13u1_source.buildinfo
Files:
7ac7978c2eb405bbae7ca645bb0c3dd8 12560 otherosfs optional
qemu_10.0.10+ds-0+deb13u1.dsc
77d77a340cd841ad86bdbfc481ca5a4e 39979984 otherosfs optional
qemu_10.0.10+ds.orig.tar.xz
9f693854cde70a1ca83283207371117b 148364 otherosfs optional
qemu_10.0.10+ds-0+deb13u1.debian.tar.xz
29bf446853b3e68c7ccf40025a64eacf 8302 otherosfs optional
qemu_10.0.10+ds-0+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJqKldWCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmcQ1YAfzOvxi3ZrsY2/KfmwaggbYPLTkKrHt/UDt4BZ
SxYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AAClBhAAxARDk60LxvR5RWSKy5LhNvqY
aUOuQ0dfLqjfjZfiZ5Je/geIlPAooI0PvJASmk/F9/o+7Jdwlpkuawo44ue6LtXN
iduH/Qx6dC8iFHJKtGgdz2eqelSbh2gNpFXDoryirVvOwOy0NlHULjSgP0jA3ua4
6NI/csXCJIUjQ0dd6i07TsuZV+mfCIkuWcWega7FWr96sbzud/bsUMSf8pmx0b12
FrmX3RVHvJUeD8ID/pd8YSQUMrVW5RrQHRZFivfcCvVthWcL/1rr37N41L+GGW87
z+WEzXvYztN8P4EVsLC53Yo+LEiKV2DNXwTZgKDnB56Si8yFMqpdov+6lT+IG4MP
oLB7o2jjBNgg2uX7vUCk3DIu2XgCz+mjTiUXXhcuR4mfTBDuqF1wBsNJwOBfQSfV
jE8njKzRU78MFobLpoakVe1JoKVAdnoBTTOngfa0V5LXavTUouyxqYKEJbcIydSV
6xJP3alYNoBV3cOp3pYXrHiOB8NiA2iQTjAGG+BKgm0Bm6wJFtSU7jVojt581VrI
+3lXeq5sFZhut06rp3ZXGBcfe0QuSfpqCX0e0pv5OAeYOZr+KeIwIAUN4vTIegFD
CaOraGjTHPR7tgHrIPJ2w1+9EhSwZ/rmy9wkSGP/CiATq5R6eWFuzMKsIS4u/LDQ
QRF4pU0mu10oTzihdr8=
=3cRM
-----END PGP SIGNATURE-----
pgp3fvfrQ55rS.pgp
Description: PGP signature
--- End Message ---