Your message dated Wed, 25 Nov 2009 10:27:26 +0000
with message-id <[email protected]>
and subject line Bug#557737: fixed in kvm 88+dfsg-2
has caused the Debian Bug report #557737,
regarding kvm: CVE-2009-2287 and CVE-2009-3640
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
557737: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=557737
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: kvm
Version: 85+dfsg-4.1
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for kvm.
CVE-2009-2287[0]:
| The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel
| 2.6 before 2.6.30, when running on x86 systems, does not validate the
| page table root in a KVM_SET_SREGS call, which allows local users to
| cause a denial of service (crash or hang) via a crafted cr3 value,
| which triggers a NULL pointer dereference in the gfn_to_rmap function.
CVE-2009-3640[1]:
| The update_cr8_intercept function in arch/x86/kvm/x86.c in the KVM
| subsystem in the Linux kernel before 2.6.32-rc1 does not properly
| handle the absence of an Advanced Programmable Interrupt Controller
| (APIC), which allows local users to cause a denial of service (NULL
| pointer dereference and system crash) or possibly gain privileges via
| a call to the kvm_vcpu_ioctl function.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2287
http://security-tracker.debian.org/tracker/CVE-2009-2287
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3640
http://security-tracker.debian.org/tracker/CVE-2009-3640
--- End Message ---
--- Begin Message ---
Source: kvm
Source-Version: 88+dfsg-2
We believe that the bug you reported is fixed in the latest version of
kvm, which is due to be installed in the Debian FTP archive:
kvm-dbg_88+dfsg-2_i386.deb
to main/k/kvm/kvm-dbg_88+dfsg-2_i386.deb
kvm-source_88+dfsg-2_all.deb
to main/k/kvm/kvm-source_88+dfsg-2_all.deb
kvm_88+dfsg-2.diff.gz
to main/k/kvm/kvm_88+dfsg-2.diff.gz
kvm_88+dfsg-2.dsc
to main/k/kvm/kvm_88+dfsg-2.dsc
kvm_88+dfsg-2_i386.deb
to main/k/kvm/kvm_88+dfsg-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guido Günther <[email protected]> (supplier of updated kvm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 24 Nov 2009 21:17:58 +0100
Source: kvm
Binary: kvm kvm-source kvm-dbg
Architecture: source all i386
Version: 88+dfsg-2
Distribution: experimental
Urgency: low
Maintainer: Jan Lübbe <[email protected]>
Changed-By: Guido Günther <[email protected]>
Description:
kvm - Full virtualization on x86 hardware
kvm-dbg - Debugging info for kvm
kvm-source - Source for the KVM driver
Closes: 553986 557736 557737 557739
Changes:
kvm (88+dfsg-2) experimental; urgency=low
.
* [b2e3840] Make patches gbp-pq/git-am friendly. Drop unused patches.
* [4c9a8a5] Merge patches changing paths and also fix patch in vl.c.
(Closes: #553986)
* [b5b96e3] Fix CVE-2009-4004 (Closes: #557736)
* [1a64955] Fix CVE-2009-2287 (Closes: #557737)
* [a315182] Fix CVE-2009-3640 (Closes: #557737)
* [62a4d2f] Fix CVE-2009-3722 (Closes: #557739)
Checksums-Sha1:
33d7163967bf9f0a18382ec6750269b862848aec 1462 kvm_88+dfsg-2.dsc
37749b696dd6b066b4f97e753f742660dfc720fd 52084 kvm_88+dfsg-2.diff.gz
69373359b7429c2396e272962b141f26d55fdaf2 311454 kvm-source_88+dfsg-2_all.deb
879d789aadfdfd71f5d6a2591967587d79c568d8 1340190 kvm_88+dfsg-2_i386.deb
d8ea811f39792b7504b787cc6b9f4fb4705e1b51 47326 kvm-dbg_88+dfsg-2_i386.deb
Checksums-Sha256:
2b8a358b8a570808f9cf5b4cc9dcdd5a8450009b56122e410722b84372ccdbe0 1462
kvm_88+dfsg-2.dsc
fa712822822253b3f1d5acc62b7d90b01d8590e49ae5075a9eddf751c42edf8c 52084
kvm_88+dfsg-2.diff.gz
2676cf35451903620d527329a77c4c1c154e23a59425765974b7bb668951ccd7 311454
kvm-source_88+dfsg-2_all.deb
d734aaaf79a1a4055d33d73e099ebf704ba4f7073c59bee231d4fc263c324066 1340190
kvm_88+dfsg-2_i386.deb
65ff64e0c7280c3e3bc6f4e8babfb3e795cfc42d53d6c6661c82ac69610ed906 47326
kvm-dbg_88+dfsg-2_i386.deb
Files:
6f622670aaab3f8855b3a9833fb55d09 1462 misc optional kvm_88+dfsg-2.dsc
60ce21c219c562658f6f568cd0d273d1 52084 misc optional kvm_88+dfsg-2.diff.gz
5d97cbd77a2901b3bd093e3c53add4ec 311454 kernel optional
kvm-source_88+dfsg-2_all.deb
2a7d8bfedde1d8ba7933f22d38bd42aa 1340190 misc optional kvm_88+dfsg-2_i386.deb
67821ba6a8151a7526edbbb8ff107f7d 47326 debug extra kvm-dbg_88+dfsg-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLDF2fn88szT8+ZCYRAq/zAJ9mkB8R4ejt0o1MwF9G/Bstxp5EnwCfchyd
PtgFWtFSTdqHmVOUkEmyQPI=
=vbx0
-----END PGP SIGNATURE-----
--- End Message ---
