Your message dated Tue, 14 Apr 2020 10:07:28 +0000
with message-id <[email protected]>
and subject line Bug#956145: fixed in qemu 1:4.2-4
has caused the Debian Bug report #956145,
regarding qemu: CVE-2020-11102
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
956145: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956145
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: qemu
Version: 1:4.2-3
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for qemu.
CVE-2020-11102[0]:
| hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying
| of tx/rx buffers because the frame size is not validated against the
| r/w data length.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-11102
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11102
[1] https://www.openwall.com/lists/oss-security/2020/04/06/1
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: qemu
Source-Version: 1:4.2-4
Done: Michael Tokarev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 14 Apr 2020 12:44:43 +0300
Source: qemu
Architecture: source
Version: 1:4.2-4
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 866756 953910 955741 956145
Changes:
qemu (1:4.2-4) unstable; urgency=medium
.
[ Michael Tokarev ]
* d/rules: build minimal configuration for qboot/microvm usage
* set microvm to be the default machine type for microvm case
* install ui-spice-app.so in qemu-system-common
* do not depend on libattr-dev, functions are now in libc6 (Closes: #953910)
* net-tulip-check-frame-size-and-r-w-data-length-CVE-2020-11102.patch
(Closes: #956145, CVE-2020-11102, tulip nic buffer overflow)
* qemu-system-data: s/highcolor/hicolor/ (Closes: #955741)
* switch binfmt registration to use update-binfmts --[un]import
(Closes: #866756)
* build openbios-ppc & openbios-sparc binaries in qemu-system-data,
and replace corresponding binary packages.
Add gcc-sparc64-linux-gnu, fcode-utils & xsltproc to build-depend-indep
* build and provide/replace qemu-slof too
.
[ Aurelien Jarno ]
* enable support for riscv64 hosts
Checksums-Sha1:
0be49f2f6ccc59f5dd3e9ab9b63f5c553959a4a1 6581 qemu_4.2-4.dsc
f0c5abb30e75a2fa5d10dd61bdca7197f5fd3d82 81612 qemu_4.2-4.debian.tar.xz
3a77d5bad2e211155a642572f8d2bcac7271c372 8240 qemu_4.2-4_source.buildinfo
Checksums-Sha256:
c9f1e502cf63dacabd803157f7b26cd552a27dcc91bc0de2c69f85a93eb0e593 6581
qemu_4.2-4.dsc
55214f5616543c23c15a538acfa0bdda2e4c2a29d85d848d69f96067f169395a 81612
qemu_4.2-4.debian.tar.xz
763f2d5d5b95262d0779905b0e83805462ec727a3a3badb0b296a108c299fa98 8240
qemu_4.2-4_source.buildinfo
Files:
82f360cc06160d2138a0b38c4ecfc249 6581 otherosfs optional qemu_4.2-4.dsc
d6a78bbc19b137deb64457204f0abf28 81612 otherosfs optional
qemu_4.2-4.debian.tar.xz
40e44a7d223d9b1d7257158528123b14 8240 otherosfs optional
qemu_4.2-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAl6VhrwPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZDHkH+QG6MUeSDduDtzHPtuPeobEvYwbTj1UZtCTZ
d/SarIurdcnk0yYGqTOeSMjETyyrlFHajXNufg7NGEPg07aAY796vSeGsyTEIR2k
4cxcbROJI/8+AOq4egDRow674H/sj9KPyfx/EETJejRku6xdbcTS/e1lEFibo0Tv
6bOj3ex/pDVhaVGSZUL1+LuFFNmDg2PCsc4QZw5wveuv2NSCmQW9RshB41EuIM8U
5i2DHp1KV/GWBZEhn2j3ncSfA4XvBVGIfNcwW77BBBQV83egFtz5PrrYyxsOXEK1
VipnD0mbhAg9R9e22+r2qjv9XYrCbBLGGKNGP3IkJYlk5udT2lM=
=elJg
-----END PGP SIGNATURE-----
--- End Message ---
