Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2e85e39d by Sylvain Beucler at 2022-11-08T14:14:18+01:00
qemu: update buster triage 2021-2022 for LTS
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -50003,9 +50003,9 @@ CVE-2022-1051 (The WPQA Builder Plugin WordPress plugin
before 5.2, used as a co
CVE-2022-1050 (A flaw was found in the QEMU implementation of VMWare's
paravirtual RD ...)
- qemu 1:7.1+dfsg-2 (bug #1014589)
[bullseye] - qemu <no-dsa> (Minor issue)
- [buster] - qemu <no-dsa> (Minor issue)
+ [buster] - qemu <postponed> (Minor issue, waiting for sanctioned patch,
patch included in unstable)
[stretch] - qemu <not-affected> (rdma devices introduced in v2.12)
- NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html
+ NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2022-04/msg00273.html
CVE-2022-1049 (A flaw was found in the Pacemaker configuration tool (pcs). The
pcs da ...)
{DSA-5226-1 DLA-3108-1}
- pcs 0.11.3-1
@@ -53665,7 +53665,7 @@ CVE-2022-26354 (A flaw was found in the vhost-vsock
device of QEMU. In case of e
CVE-2022-26353 (A flaw was found in the virtio-net device of QEMU. This flaw
was inadv ...)
{DSA-5133-1}
- qemu 1:7.0+dfsg-1
- [buster] - qemu <not-affected> (Original upstream fix for CVE-2021-3748
not applied)
+ [buster] - qemu <not-affected> (Original upstream fix for CVE-2021-3748
not applied, new fix applied in DSA)
[stretch] - qemu <not-affected> (Original upstream fix for
CVE-2021-3748 not applied)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2063197
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html
@@ -64081,7 +64081,7 @@ CVE-2022-0218 (The WP HTML Mail WordPress plugin is
vulnerable to unauthorized a
CVE-2022-0216 (A use-after-free vulnerability was found in the LSI53C895A SCSI
Host B ...)
- qemu 1:7.1+dfsg-1 (bug #1014590)
[bullseye] - qemu <no-dsa> (Minor issue)
- [buster] - qemu <no-dsa> (Minor issue)
+ [buster] - qemu <postponed> (Minor issue, DoS, fix along with next DLA)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2036953
NOTE: https://starlabs.sg/advisories/22/22-0216/
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/972
@@ -77748,7 +77748,7 @@ CVE-2021-3930 (An off-by-one error was found in the
SCSI device emulation in QEM
CVE-2021-3929 (A DMA reentrancy issue was found in the NVM Express Controller
(NVME) ...)
- qemu 1:7.0+dfsg-1
[bullseye] - qemu <no-dsa> (Minor issue; nvme support preliminary
supported)
- [buster] - qemu <no-dsa> (Minor issue; nvme support preliminary
supported)
+ [buster] - qemu <no-dsa> (Minor issue; nvme support preliminary
supported, possibly not-affected)
[stretch] - qemu <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020298
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/556
@@ -88053,8 +88053,8 @@ CVE-2021-40320
CVE-2021-3750 (A DMA reentrancy issue was found in the USB EHCI controller
emulation ...)
- qemu 1:7.0+dfsg-1
[bullseye] - qemu <no-dsa> (Minor issue)
- [buster] - qemu <no-dsa> (Minor issue)
- [stretch] - qemu <postponed> (Fix along with a future DLA)
+ [buster] - qemu <postponed> (Minor issue, fix along with next DLA)
+ [stretch] - qemu <postponed> (Fix along with next DLA)
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/541
NOTE: Fix for whole class of DMA MMIO reentrancy issues:
https://gitlab.com/qemu-project/qemu/-/issues/556
NOTE: Patchset:
https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html
@@ -88072,6 +88072,7 @@ CVE-2021-3748 (A use-after-free vulnerability was found
in the virtio-net device
{DSA-4980-1 DLA-3099-1 DLA-2970-1}
- qemu 1:6.1+dfsg-6 (bug #993401)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1998514
+ NOTE:
https://gitlab.com/qemu-project/qemu/-/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6
(v6.2.0-rc0)
NOTE: When fixing this issue make sure to not open CVE-2022-26353
CVE-2021-40319
RESERVED
@@ -88638,10 +88639,9 @@ CVE-2021-3739 (A NULL pointer dereference flaw was
found in the btrfs_rm_device
CVE-2021-3735 (A deadlock issue was found in the AHCI controller device of
QEMU. It o ...)
- qemu <unfixed> (bug #1014767)
[bullseye] - qemu <no-dsa> (Minor issue)
- [buster] - qemu <no-dsa> (Minor issue)
- [stretch] - qemu <postponed> (Fix along with a future DLA)
+ [buster] - qemu <postponed> (Minor issue, waiting for patch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1997184
- NOTE: No upstream patch as of 2022-01-28
+ NOTE: No upstream patch as of 2022-11-08
CVE-2021-40083 (Knot Resolver before 5.3.2 is prone to an assertion failure,
triggerab ...)
[experimental] - knot-resolver 5.4.1-1
- knot-resolver 5.4.1-2 (bug #991463)
@@ -102243,7 +102243,7 @@ CVE-2021-3595 (An invalid pointer initialization
issue was found in the SLiRP ne
- libslirp 4.6.1-1 (bug #989996)
[bullseye] - libslirp 4.4.0-1+deb11u2
- qemu 1:4.1-2
- [buster] - qemu <no-dsa> (Minor issue)
+ [buster] - qemu <postponed> (Minor issue, fix along with next DLA,
fixed in stretch-lts)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17
(v4.6.0)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3f17948137155f025f7809fdc38576d5d2451c3d
(v4.6.0)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/990163cf3ac86b7875559f49602c4d76f46f6f30
(v4.6.0)
@@ -102253,7 +102253,7 @@ CVE-2021-3594 (An invalid pointer initialization
issue was found in the SLiRP ne
- libslirp 4.6.1-1 (bug #989995)
[bullseye] - libslirp 4.4.0-1+deb11u2
- qemu 1:4.1-2
- [buster] - qemu <no-dsa> (Minor issue)
+ [buster] - qemu <postponed> (Minor issue, fix along with next DLA,
fixed in stretch-lts)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17
(v4.6.0)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/74572be49247c8c5feae7c6e0b50c4f569ca9824
(v4.6.0)
NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as
fixed.
@@ -102262,7 +102262,7 @@ CVE-2021-3593 (An invalid pointer initialization
issue was found in the SLiRP ne
- libslirp 4.6.1-1 (bug #989994)
[bullseye] - libslirp 4.4.0-1+deb11u2
- qemu 1:4.1-2
- [buster] - qemu <no-dsa> (Minor issue)
+ [buster] - qemu <postponed> (Minor issue, fix along with next DLA,
fixed in stretch-lts)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17
(v4.6.0)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/de71c15de66ba9350bf62c45b05f8fbff166517b
(v4.6.0)
NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as
fixed.
@@ -102270,8 +102270,8 @@ CVE-2021-3592 (An invalid pointer initialization
issue was found in the SLiRP ne
- libslirp 4.6.1-1 (bug #989993)
[bullseye] - libslirp 4.4.0-1+deb11u2
- qemu 1:4.1-2
- [buster] - qemu <no-dsa> (Minor issue)
- [stretch] - qemu <ignored> (Introduces a regression. See Debian bug
#994080)
+ [buster] - qemu <postponed> (Minor issue, fix along in next DLA if
doesn't introduce #994080)
+ [stretch] - qemu <ignored> (Introduces a regression. See Debian bug
#994080. Reverted in DLA-2753-2)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17
(v4.6.0)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f13cad45b25d92760bb0ad67bec0300a4d7d5275
(v4.6.0)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2eca0838eee1da96204545e22cdaed860d9d7c6c
(v4.6.0)
@@ -139830,10 +139830,10 @@ CVE-2021-20255 (A stack overflow via an infinite
recursion vulnerability was fou
{DLA-2623-1}
- qemu <unfixed> (bug #984451)
[bullseye] - qemu <postponed> (Minor issue)
- [buster] - qemu <postponed> (Minor issue)
+ [buster] - qemu <postponed> (Minor issue, waiting for sanctioned patch,
fixed in stretch-lts)
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
NOTE:
https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Feepro100_stackoverflow1
- NOTE: No upstream patch as of 2022-04-21
+ NOTE: No sanctioned upstream patch as of 2022-11-08
CVE-2021-20254 (A flaw was found in samba. The Samba smbd file server must map
Windows ...)
{DLA-2668-1}
- samba 2:4.13.5+dfsg-2 (bug #987811)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e85e39d3f11dbb0d13d44f4344f599dd2135c96
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e85e39d3f11dbb0d13d44f4344f599dd2135c96
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
