Control: tag -1 + pending
23.09.2016 19:18, Salvatore Bonaccorso wrote:
Source: qemu
Version: 1:2.6+dfsg-3.1
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for qemu.
CVE-2016-7466[0]:
usb: xhci memory leakage during device unplug
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-7466
Please adjust the affected versions in the BTS as needed.
The affected code has been introduced in 2.2.0-rc. Before
that, xhci devices weren't hot-un-pluggable, so the bug
didn't exist.
No previous debian releases are affected.
More, device unplug can only be triggered from the outside of
the guest, i.e., by the administrator running the virtual machine.
Thanks,
/mjt
