Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d08acceb by Sylvain Beucler at 2023-03-14T20:25:36+01:00
Reserve DLA-3362-1 for qemu
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -79523,7 +79523,6 @@ CVE-2022-1051 (The WPQA Builder Plugin WordPress plugin
before 5.2, used as a co
CVE-2022-1050 (A flaw was found in the QEMU implementation of VMWare's
paravirtual RD ...)
- qemu 1:7.1+dfsg-2 (bug #1014589)
[bullseye] - qemu <no-dsa> (Minor issue)
- [buster] - qemu <not-affected> (pvrdma disabled in [1:3.1+dfsg-4,
1:4.1-1[)
[stretch] - qemu <not-affected> (rdma devices introduced in v2.12)
NOTE:
https://gitlab.com/qemu-project/qemu/-/commit/31c4b6fb0293e359f9ef8a61892667e76eea4c99
(master, after v7.2.0)
NOTE: PVRDMA support not enabled in the binary packages until
1:3.1+dfsg-3, disabled again in 1:3.1+dfsg-4 until 1:4.1-1
@@ -93728,7 +93727,6 @@ CVE-2022-0218 (The WP HTML Mail WordPress plugin is
vulnerable to unauthorized a
CVE-2022-0216 (A use-after-free vulnerability was found in the LSI53C895A SCSI
Host B ...)
- qemu 1:7.1+dfsg-1 (bug #1014590)
[bullseye] - qemu <no-dsa> (Minor issue)
- [buster] - qemu <postponed> (Minor issue, DoS, fix along with next DLA)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2036953
NOTE: https://starlabs.sg/advisories/22/22-0216/
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/972
@@ -131949,7 +131947,6 @@ CVE-2021-3595 (An invalid pointer initialization
issue was found in the SLiRP ne
- libslirp 4.6.1-1 (bug #989996)
[bullseye] - libslirp 4.4.0-1+deb11u2
- qemu 1:4.1-2
- [buster] - qemu <postponed> (Minor issue, fix along with next DLA,
fixed in stretch-lts)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17
(v4.6.0)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3f17948137155f025f7809fdc38576d5d2451c3d
(v4.6.0)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/990163cf3ac86b7875559f49602c4d76f46f6f30
(v4.6.0)
@@ -131959,7 +131956,6 @@ CVE-2021-3594 (An invalid pointer initialization
issue was found in the SLiRP ne
- libslirp 4.6.1-1 (bug #989995)
[bullseye] - libslirp 4.4.0-1+deb11u2
- qemu 1:4.1-2
- [buster] - qemu <postponed> (Minor issue, fix along with next DLA,
fixed in stretch-lts)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17
(v4.6.0)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/74572be49247c8c5feae7c6e0b50c4f569ca9824
(v4.6.0)
NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as
fixed.
@@ -131968,7 +131964,6 @@ CVE-2021-3593 (An invalid pointer initialization
issue was found in the SLiRP ne
- libslirp 4.6.1-1 (bug #989994)
[bullseye] - libslirp 4.4.0-1+deb11u2
- qemu 1:4.1-2
- [buster] - qemu <postponed> (Minor issue, fix along with next DLA,
fixed in stretch-lts)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17
(v4.6.0)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/de71c15de66ba9350bf62c45b05f8fbff166517b
(v4.6.0)
NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as
fixed.
@@ -131976,7 +131971,6 @@ CVE-2021-3592 (An invalid pointer initialization
issue was found in the SLiRP ne
- libslirp 4.6.1-1 (bug #989993)
[bullseye] - libslirp 4.4.0-1+deb11u2
- qemu 1:4.1-2
- [buster] - qemu <postponed> (Minor issue, fix along in next DLA if
doesn't introduce #994080)
[stretch] - qemu <ignored> (Introduces a regression. See Debian bug
#994080. Reverted in DLA-2753-2)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17
(v4.6.0)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f13cad45b25d92760bb0ad67bec0300a4d7d5275
(v4.6.0)
@@ -174705,7 +174699,6 @@ CVE-2020-29130 (slirp.c in libslirp through 4.3.1 has
a buffer over-read because
{DLA-2560-1}
- libslirp 4.4.0-1
- qemu 1:4.1-2
- [buster] - qemu <postponed> (Fix along with next DLA, fixed in
stretch-lts)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f
(v4.4.0)
NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as
fixed.
NOTE:
https://github.com/rootless-containers/slirp4netns/security/advisories/GHSA-2j37-w439-87q3
@@ -188252,7 +188245,6 @@ CVE-2020-25086 (Ecommerce-CodeIgniter-Bootstrap
before 2020-08-03 allows XSS in
CVE-2021-3409 (The patch for CVE-2020-17380/CVE-2020-25085 was found to be
ineffectiv ...)
{DLA-2623-1}
- qemu 1:5.2+dfsg-10 (bug #986795)
- [buster] - qemu <not-affected> (CVE-2020-17380 wasn't backported to
Buster)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
NOTE: https://www.openwall.com/lists/oss-security/2021/03/09/1
NOTE: New patch series:
https://lists.nongnu.org/archive/html/qemu-devel/2021-03/msg00949.html
@@ -204858,7 +204850,6 @@ CVE-2020-17381 (An issue was discovered in Ghisler
Total Commander 9.51. Due to
CVE-2020-17380 (A heap-based buffer overflow was found in QEMU through 5.0.0
in the SD ...)
{DLA-2623-1}
- qemu 1:5.2+dfsg-10 (bug #970937)
- [buster] - qemu <postponed> (Minor issue, fix along with next DLA,
fixed in stretch-lts)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1862167
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01175.html
NOTE:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=dfba99f17feb6d4a129da19d38df1bcd8579d1c3
@@ -212412,7 +212403,6 @@ CVE-2020-14395
CVE-2020-14394 (An infinite loop flaw was found in the USB xHCI controller
emulation o ...)
- qemu 1:7.1+dfsg-1 (bug #979677)
[bullseye] - qemu <postponed> (Minor issue)
- [buster] - qemu <postponed> (Minor issue, privileged local DoS, low
CVSS, fix along with next DLA)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1908004
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/646
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/effaf5a240e03020f4ae953e10b764622c3e87cc
(v7.1.0-rc3)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[14 Mar 2023] DLA-3362-1 qemu - security update
+ {CVE-2020-14394 CVE-2020-17380 CVE-2020-29130 CVE-2021-3409
CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595 CVE-2022-0216
CVE-2022-1050}
+ [buster] - qemu 1:3.1+dfsg-8+deb10u10
[13 Mar 2023] DLA-3361-1 redis - security update
{CVE-2022-36021}
[buster] - redis 5:5.0.14-1+deb10u3
=====================================
data/dla-needed.txt
=====================================
@@ -219,13 +219,6 @@ python3.7 (Adrian Bunk)
NOTE: 20230220: Testsuite:
https://lts-team.pages.debian.net/wiki/TestSuites/python.html
NOTE: 20230228: Waiting for actual upstream fix for CVE-2023-24329. (bunk)
--
-qemu (Sylvain Beucler)
- NOTE: 20221108: Programming language: C.
- NOTE: 20221108: I updated the status of all opened (minor) CVEs to more
clearly state whether we can fix or are waiting for a patch,
- NOTE: 20221108: there's about half of them that can be fixed now (or
definitely ignored if backporting is too risky/complex) (Beuc/front-desk)
- NOTE: 20221209: Testsuite:
https://lts-team.pages.debian.net/wiki/TestSuites/qemu.html
- NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/qemu.git
---
r-cran-commonmark
NOTE: 20221009: Programming language: R.
NOTE: 20221009: Please synchronize with ghostwriter.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d08acceb0e496ad4354718824eac402f68c68f9a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d08acceb0e496ad4354718824eac402f68c68f9a
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
