Your message dated Thu, 14 Aug 2025 07:22:31 +0000
with message-id <[email protected]>
and subject line Bug#1111030: fixed in qemu 1:10.1.0~rc3+ds-1
has caused the Debian Bug report #1111030,
regarding qemu: CVE-2025-8860
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111030: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111030
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: qemu
Version: 1:10.0.3+ds-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for qemu.
CVE-2025-8860[0]:
| uefi-vars: information disclosure vulnerability in uefi_vars_write
| callback
Unfortunately at time of writing this bugreport I have not found any
further information on this issue apart it's main reference in Red
Hat's bugzilla[1]. Do you happen do know more? Is it reported upstream
do we have upstream references?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-8860
https://www.cve.org/CVERecord?id=CVE-2025-8860
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2387588
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: qemu
Source-Version: 1:10.1.0~rc3+ds-1
Done: Michael Tokarev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 Aug 2025 09:36:37 +0300
Source: qemu
Architecture: source
Version: 1:10.1.0~rc3+ds-1
Distribution: experimental
Urgency: medium
Maintainer: Debian QEMU Team <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1111030
Changes:
qemu (1:10.1.0~rc3+ds-1) experimental; urgency=medium
.
* new upstream release candidate (d/control.mk: 10.1.0~rc3+ds)
* d/rules: fix typo in comment (it is qemu-system-data, not qemu-user-data)
* d/qemu-user.postinst: trigger /usr/lib/binfmt.d (#1110982)
* d/control: omit system-xen if omit-system build profile is specified
* qemu-user binfmts: stop supporting old kernels using custom patch
It's been too long (buster? stretch?) since kernel supports native way
* d/binfmt-install: do not generate update-binfmt un-registration
postinst script for upgrades from bookworm
* d/control: drop old (pre-bookworm) breaks/replaces/conflicts/provides
* hw-uefi-clear-uefi-vars-buffer-in-uefi_vars_write-CVE-2025-8860.patch
(Closes: #1111030, CVE-2025-8860)
Checksums-Sha1:
82206f4007878177d905231c73c29844cc33df56 12473 qemu_10.1.0~rc3+ds-1.dsc
6bd941df5f6594d8e0a91cbfb88feb813b73d87f 40206040
qemu_10.1.0~rc3+ds.orig.tar.xz
a6832f748cbc094dae2d9b3f0a66cc75ab5569cb 122652
qemu_10.1.0~rc3+ds-1.debian.tar.xz
cfe25790077c063c8c18780db6f57c28e39d75a1 6452
qemu_10.1.0~rc3+ds-1_source.buildinfo
Checksums-Sha256:
8902a0ed4dc957b80158d5e3b25e6d1f09c30a5def21d67f2a13541c7a30259d 12473
qemu_10.1.0~rc3+ds-1.dsc
1a843d342a3849318d1f608b63e45b3ceb8441e90385e65c124e2a06a58f96b4 40206040
qemu_10.1.0~rc3+ds.orig.tar.xz
7a9ebcfad73c5d43b147abb9eb36ddb71abc234dfafc05133ef57c7c072ab186 122652
qemu_10.1.0~rc3+ds-1.debian.tar.xz
9bc82885470c23042c1daa3e16a84598a83ddb6dd6d733f586f435ec6e57f6ed 6452
qemu_10.1.0~rc3+ds-1_source.buildinfo
Files:
f00a0f508ed8c247d2e76eec63348d59 12473 otherosfs optional
qemu_10.1.0~rc3+ds-1.dsc
f1894694f60747a0b91dff6bd0010747 40206040 otherosfs optional
qemu_10.1.0~rc3+ds.orig.tar.xz
fc8204d9819f51fbb15f73f6cdab8790 122652 otherosfs optional
qemu_10.1.0~rc3+ds-1.debian.tar.xz
1ed759c2cc4b08b84036abf526cfd84f 6452 otherosfs optional
qemu_10.1.0~rc3+ds-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZKoqtTHVaQM2a/75gqpKJDselHgFAmidhGgACgkQgqpKJDse
lHhGxw/9GHV397vAIOwKqCvUkH0TereELFozb1K3c6+W9b3VZhNP5KfcRSV3heKw
WBeJTLRvLAJyVmpcPOoeLBu3E+DeMMl1lAubz9wOkqO78J8Hh14XriptqLHmVJ+L
gMgPEdfF/oFpY5uHQUiAgonsUX4bcrDFV4/bF0ttk9/z1nh2W7BGi+YobcR04P80
9P4CUeHFoYMjpC5TKA6S254Rhx3kiQc/CfCXLBbNph4ha0bMf52XUFOMrSUBRRgU
c7JqcDZ/lDkpJHO5BlNBZfoCuT1P0cCuSVLF+w7Nj6G20Gd0abaAE1LPPwuM2Z6Q
m5GsEdp0jJXiRi355wRycQ/Z7bBd/LLqLLe28ABRPqwDmE7NCWLnNR9zSukvVy5f
ejfzgcAzQl/nDCW+1DJiox9ym8yLeOiCcTRSyT8n0bxDlHECviwYGg1daeHWJaRm
QzgGNi2dIgAisKA/260EaT3N7fGBoKovsiY3/1S6a06d2KaEtAZjKv3vXBL3tGlF
1um+yS5n39AUAhbVLdcG62EioBwVYbg7hc5uCoZz9/+0hf1elWV+nm7sq8MThEJV
Pgq9Zjx3jVl0jlqhZY4XrvJaD3/ADzu/fLwx0WUitCMH6sqzP2+ftQjKnT3fusFR
06hsgVy/IdTNmdMoeqrRxkCC3xqPVJGBuIiVGDeJF4qh4//ANXI=
=wZ/t
-----END PGP SIGNATURE-----
pgpOw6UXITjV1.pgp
Description: PGP signature
--- End Message ---
