qemu: use canonical URL + bluetooth subsystem removed

Sylvain Beucler Tue, 25 Aug 2020 08:17:58 -0700


Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
37e996ef by Sylvain Beucler at 2020-08-25T17:17:03+02:00
CVE-2018-19665/qemu: use canonical URL + bluetooth subsystem removed

- - - - -
0ea9ecf3 by Sylvain Beucler at 2020-08-25T17:17:03+02:00
CVE-2020-13253/qemu: reference upstream patch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -24499,6 +24499,7 @@ CVE-2020-13253 (sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 
uses an unvalidated addre
        NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg05835.html
        NOTE: https://www.openwall.com/lists/oss-security/2020/05/27/2
        NOTE: https://bugs.launchpad.net/qemu/+bug/1880822
+       NOTE: 
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=790762e5487114341cccc5bffcec4cb3c022c3cd
 (5.1)
 CVE-2020-13252 (Centreon before 19.04.15 allows remote attackers to execute 
arbitrary  ...)
        - centreon-web <itp> (bug #913903)
 CVE-2020-13251
@@ -112906,9 +112907,9 @@ CVE-2018-19665 (The Bluetooth subsystem in QEMU 
mishandles negative values for l
        NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg03822.html
        NOTE: second patch never accepted, no activity as of 20190909
        NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html
-       NOTE: https://lists.debian.org/debian-lts/2019/01/msg00073.html
-       NOTE: 3.1 marked bluetooth subsystem deprecated
-       NOTE: https://github.com/qemu/qemu/commit/c0188e69d
+       NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg07426.html
+       NOTE: https://github.com/qemu/qemu/commit/c0188e69d (bluetooth 
subsystem deprecated in 3.1)
+       NOTE: https://github.com/qemu/qemu/commit/1d4ffe8dc (bluetooth 
subsystem removed in 5.0)
 CVE-2018-19664 (libjpeg-turbo 2.0.1 has a heap-based buffer over-read in the 
put_pixel ...)
        - libjpeg-turbo <not-affected> (Vulnerable code introduced later)
        NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/305



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/589e92ef50fc5d208a5c4ee89a4db30a35eb9726...0ea9ecf30187258cb75ca7f0098ef641027fc1d8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/589e92ef50fc5d208a5c4ee89a4db30a35eb9726...0ea9ecf30187258cb75ca7f0098ef641027fc1d8
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2018-19665/qemu: use canonical URL + bluetooth subsystem removed

Reply via email to