Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits: 2e85e39d by Sylvain Beucler at 2022-11-08T14:14:18+01:00 qemu: update buster triage 2021-2022 for LTS - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -50003,9 +50003,9 @@ CVE-2022-1051 (The WPQA Builder Plugin WordPress plugin before 5.2, used as a co CVE-2022-1050 (A flaw was found in the QEMU implementation of VMWare's paravirtual RD ...) - qemu 1:7.1+dfsg-2 (bug #1014589) [bullseye] - qemu <no-dsa> (Minor issue) - [buster] - qemu <no-dsa> (Minor issue) + [buster] - qemu <postponed> (Minor issue, waiting for sanctioned patch, patch included in unstable) [stretch] - qemu <not-affected> (rdma devices introduced in v2.12) - NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html + NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2022-04/msg00273.html CVE-2022-1049 (A flaw was found in the Pacemaker configuration tool (pcs). The pcs da ...) {DSA-5226-1 DLA-3108-1} - pcs 0.11.3-1 @@ -53665,7 +53665,7 @@ CVE-2022-26354 (A flaw was found in the vhost-vsock device of QEMU. In case of e CVE-2022-26353 (A flaw was found in the virtio-net device of QEMU. This flaw was inadv ...) {DSA-5133-1} - qemu 1:7.0+dfsg-1 - [buster] - qemu <not-affected> (Original upstream fix for CVE-2021-3748 not applied) + [buster] - qemu <not-affected> (Original upstream fix for CVE-2021-3748 not applied, new fix applied in DSA) [stretch] - qemu <not-affected> (Original upstream fix for CVE-2021-3748 not applied) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2063197 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html @@ -64081,7 +64081,7 @@ CVE-2022-0218 (The WP HTML Mail WordPress plugin is vulnerable to unauthorized a CVE-2022-0216 (A use-after-free vulnerability was found in the LSI53C895A SCSI Host B ...) - qemu 1:7.1+dfsg-1 (bug #1014590) [bullseye] - qemu <no-dsa> (Minor issue) - [buster] - qemu <no-dsa> (Minor issue) + [buster] - qemu <postponed> (Minor issue, DoS, fix along with next DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2036953 NOTE: https://starlabs.sg/advisories/22/22-0216/ NOTE: https://gitlab.com/qemu-project/qemu/-/issues/972 @@ -77748,7 +77748,7 @@ CVE-2021-3930 (An off-by-one error was found in the SCSI device emulation in QEM CVE-2021-3929 (A DMA reentrancy issue was found in the NVM Express Controller (NVME) ...) - qemu 1:7.0+dfsg-1 [bullseye] - qemu <no-dsa> (Minor issue; nvme support preliminary supported) - [buster] - qemu <no-dsa> (Minor issue; nvme support preliminary supported) + [buster] - qemu <no-dsa> (Minor issue; nvme support preliminary supported, possibly not-affected) [stretch] - qemu <not-affected> (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020298 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/556 @@ -88053,8 +88053,8 @@ CVE-2021-40320 CVE-2021-3750 (A DMA reentrancy issue was found in the USB EHCI controller emulation ...) - qemu 1:7.0+dfsg-1 [bullseye] - qemu <no-dsa> (Minor issue) - [buster] - qemu <no-dsa> (Minor issue) - [stretch] - qemu <postponed> (Fix along with a future DLA) + [buster] - qemu <postponed> (Minor issue, fix along with next DLA) + [stretch] - qemu <postponed> (Fix along with next DLA) NOTE: https://gitlab.com/qemu-project/qemu/-/issues/541 NOTE: Fix for whole class of DMA MMIO reentrancy issues: https://gitlab.com/qemu-project/qemu/-/issues/556 NOTE: Patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html @@ -88072,6 +88072,7 @@ CVE-2021-3748 (A use-after-free vulnerability was found in the virtio-net device {DSA-4980-1 DLA-3099-1 DLA-2970-1} - qemu 1:6.1+dfsg-6 (bug #993401) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1998514 + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6 (v6.2.0-rc0) NOTE: When fixing this issue make sure to not open CVE-2022-26353 CVE-2021-40319 RESERVED @@ -88638,10 +88639,9 @@ CVE-2021-3739 (A NULL pointer dereference flaw was found in the btrfs_rm_device CVE-2021-3735 (A deadlock issue was found in the AHCI controller device of QEMU. It o ...) - qemu <unfixed> (bug #1014767) [bullseye] - qemu <no-dsa> (Minor issue) - [buster] - qemu <no-dsa> (Minor issue) - [stretch] - qemu <postponed> (Fix along with a future DLA) + [buster] - qemu <postponed> (Minor issue, waiting for patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1997184 - NOTE: No upstream patch as of 2022-01-28 + NOTE: No upstream patch as of 2022-11-08 CVE-2021-40083 (Knot Resolver before 5.3.2 is prone to an assertion failure, triggerab ...) [experimental] - knot-resolver 5.4.1-1 - knot-resolver 5.4.1-2 (bug #991463) @@ -102243,7 +102243,7 @@ CVE-2021-3595 (An invalid pointer initialization issue was found in the SLiRP ne - libslirp 4.6.1-1 (bug #989996) [bullseye] - libslirp 4.4.0-1+deb11u2 - qemu 1:4.1-2 - [buster] - qemu <no-dsa> (Minor issue) + [buster] - qemu <postponed> (Minor issue, fix along with next DLA, fixed in stretch-lts) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3f17948137155f025f7809fdc38576d5d2451c3d (v4.6.0) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/990163cf3ac86b7875559f49602c4d76f46f6f30 (v4.6.0) @@ -102253,7 +102253,7 @@ CVE-2021-3594 (An invalid pointer initialization issue was found in the SLiRP ne - libslirp 4.6.1-1 (bug #989995) [bullseye] - libslirp 4.4.0-1+deb11u2 - qemu 1:4.1-2 - [buster] - qemu <no-dsa> (Minor issue) + [buster] - qemu <postponed> (Minor issue, fix along with next DLA, fixed in stretch-lts) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/74572be49247c8c5feae7c6e0b50c4f569ca9824 (v4.6.0) NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. @@ -102262,7 +102262,7 @@ CVE-2021-3593 (An invalid pointer initialization issue was found in the SLiRP ne - libslirp 4.6.1-1 (bug #989994) [bullseye] - libslirp 4.4.0-1+deb11u2 - qemu 1:4.1-2 - [buster] - qemu <no-dsa> (Minor issue) + [buster] - qemu <postponed> (Minor issue, fix along with next DLA, fixed in stretch-lts) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/de71c15de66ba9350bf62c45b05f8fbff166517b (v4.6.0) NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. @@ -102270,8 +102270,8 @@ CVE-2021-3592 (An invalid pointer initialization issue was found in the SLiRP ne - libslirp 4.6.1-1 (bug #989993) [bullseye] - libslirp 4.4.0-1+deb11u2 - qemu 1:4.1-2 - [buster] - qemu <no-dsa> (Minor issue) - [stretch] - qemu <ignored> (Introduces a regression. See Debian bug #994080) + [buster] - qemu <postponed> (Minor issue, fix along in next DLA if doesn't introduce #994080) + [stretch] - qemu <ignored> (Introduces a regression. See Debian bug #994080. Reverted in DLA-2753-2) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f13cad45b25d92760bb0ad67bec0300a4d7d5275 (v4.6.0) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2eca0838eee1da96204545e22cdaed860d9d7c6c (v4.6.0) @@ -139830,10 +139830,10 @@ CVE-2021-20255 (A stack overflow via an infinite recursion vulnerability was fou {DLA-2623-1} - qemu <unfixed> (bug #984451) [bullseye] - qemu <postponed> (Minor issue) - [buster] - qemu <postponed> (Minor issue) + [buster] - qemu <postponed> (Minor issue, waiting for sanctioned patch, fixed in stretch-lts) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Feepro100_stackoverflow1 - NOTE: No upstream patch as of 2022-04-21 + NOTE: No sanctioned upstream patch as of 2022-11-08 CVE-2021-20254 (A flaw was found in samba. The Samba smbd file server must map Windows ...) {DLA-2668-1} - samba 2:4.13.5+dfsg-2 (bug #987811) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e85e39d3f11dbb0d13d44f4344f599dd2135c96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e85e39d3f11dbb0d13d44f4344f599dd2135c96 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits