Santiago R.R. pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
14b3a15f by Santiago Ruano Rincón at 2025-04-30T13:07:23-03:00
Reserve DLA-4144-1 for qemu
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -114935,7 +114935,6 @@ CVE-2024-26815 (In the Linux kernel, the following
vulnerability has been resolv
CVE-2024-3447 (A heap-based buffer overflow was found in the SDHCI device
emulation o ...)
- qemu 1:8.2.3+ds-1 (bug #1068821)
[bookworm] - qemu 1:7.2+dfsg-7+deb12u6
- [bullseye] - qemu <no-dsa> (Minor issue)
[buster] - qemu <no-dsa> (Minor issue)
NOTE: https://patchew.org/QEMU/[email protected]/
NOTE: https://patchew.org/QEMU/[email protected]/
@@ -140087,7 +140086,6 @@ CVE-2015-10128 (A vulnerability was found in
rt-prettyphoto Plugin up to 1.2 on
CVE-2023-6693 (A stack based buffer overflow was found in the virtio-net
device of QE ...)
- qemu 1:8.2.0+ds-3
[bookworm] - qemu 1:7.2+dfsg-7+deb12u4
- [bullseye] - qemu <no-dsa> (Minor issue)
[buster] - qemu <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2254580
NOTE: Introduced by:
https://gitlab.com/qemu-project/qemu/-/commit/e22f0603fb2fc274920a9e3a1d1306260b9a4cc4
(v5.1.0-rc0)
@@ -150457,7 +150455,6 @@ CVE-2023-5088 (A bug in QEMU could cause a guest I/O
operation otherwise address
{DLA-3759-1}
- qemu 1:8.1.1+ds-2
[bookworm] - qemu 1:7.2+dfsg-7+deb12u3
- [bullseye] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2247283
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/471a9310fd92b3e1a33d06dba2e0cf0f0b5590e0
(v7.2.7)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e
(v8.2.0-rc0)
@@ -168013,7 +168010,6 @@ CVE-2023-3019 (A DMA reentrancy issue leading to a
use-after-free error was foun
[experimental] - qemu 1:8.1.0+ds-1~exp1
- qemu 1:8.2.0+ds-1 (bug #1041102)
[bookworm] - qemu 1:7.2+dfsg-7+deb12u4
- [bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[buster] - qemu <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59243
NOTE: Proposed upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html
@@ -183715,7 +183711,6 @@ CVE-2023-1545 (SQL Injection in GitHub repository
nilsteampassnet/teampass prior
CVE-2023-1544 (A flaw was found in the QEMU implementation of VMWare's
paravirtual RD ...)
- qemu 1:8.2.0+ds-1 (bug #1034179)
[bookworm] - qemu 1:7.2+dfsg-7+deb12u3
- [bullseye] - qemu <no-dsa> (Minor issue)
[buster] - qemu <ignored> (PVRDMA support not enabled in the binary
packages)
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c7320d1641d344d0c5dfbe341d087
(v8.2.0-rc0)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[30 Apr 2025] DLA-4144-1 qemu - security update
+ {CVE-2023-1544 CVE-2023-3019 CVE-2023-5088 CVE-2023-6693 CVE-2024-3447}
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u4
[30 Apr 2025] DLA-4143-1 glibc - security update
{CVE-2025-0395}
[bullseye] - glibc 2.31-13+deb11u12
=====================================
data/dla-needed.txt
=====================================
@@ -303,19 +303,6 @@ pytorch
NOTE: 20250422: Added by Front-Desk (rouca)
NOTE: 20250422: CVE-2025-32434 RCE need to be fixed. DoS may be postponed
(rouca/FD)
--
-qemu (santiago)
- NOTE: 20240815: Added by Front-Desk (Beuc)
- NOTE: 20240815: Follow fixes from bookworm 12.4 (CVE-2023-5088)
- NOTE: 20240815: Follow fixes from bookworm 12.5 (CVE-2023-3019,
CVE-2023-6693)
- NOTE: 20240815: Follow fixes from bookworm 12.6 (CVE-2024-3446,CVE-2024-3447)
- NOTE: 20240815: CVE-2024-4467 fix also proposed for 12.7
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076504)
- NOTE: 20241119: Bookworm PU in progress
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086572
- NOTE: 20241227: WIP
- NOTE: 20250108: Still trying to reproduce CVE-2024-3446. According to
upstream, it seems it is possible (santiago)
- NOTE: 20250311: resuming the work
- NOTE: 20250331: WIP, without CVE-2024-3446
- NOTE: 20250424: WIP, testing
---
rails
NOTE: 20250105: Added by Front-Desk (apo)
NOTE: 20250305: Utkarsh uploaded the CVE fixes to unstable via
rails/7.2.2.1. (utkarsh)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14b3a15fd0eda8ef7ea78702a9173e0e47cada50
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14b3a15fd0eda8ef7ea78702a9173e0e47cada50
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
