Your message dated Thu, 21 Aug 2025 18:02:14 +0000
with message-id <[email protected]>
and subject line Bug#1111030: fixed in qemu 1:10.0.3+ds-4
has caused the Debian Bug report #1111030,
regarding qemu: CVE-2025-8860
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111030: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111030
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: qemu
Version: 1:10.0.3+ds-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for qemu.
CVE-2025-8860[0]:
| uefi-vars: information disclosure vulnerability in uefi_vars_write
| callback
Unfortunately at time of writing this bugreport I have not found any
further information on this issue apart it's main reference in Red
Hat's bugzilla[1]. Do you happen do know more? Is it reported upstream
do we have upstream references?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-8860
https://www.cve.org/CVERecord?id=CVE-2025-8860
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2387588
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: qemu
Source-Version: 1:10.0.3+ds-4
Done: Michael Tokarev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 21 Aug 2025 19:03:00 +0300
Source: qemu
Architecture: source
Version: 1:10.0.3+ds-4
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1054104 1107554 1111030
Changes:
qemu (1:10.0.3+ds-4) unstable; urgency=medium
.
[ Heinrich Schuchardt ]
* d/control: qemu-system-riscv missing recommends
qemu-system-riscv needs the same/similar packages for EFI, spice,
opengl, special block devices, as qemu-system-arm and qemu-system-x86
.
[ Michael Tokarev ]
* d/control: omit system-xen if omit-system build profile is specified
this makes pkg.qemu.omit-system to omit all system components,
including xen
* qemu-user binfmts: stop supporting old kernels using custom patch
qemu supports argv[0] handling with a help of kernel support since
at least bullseye (or even buster), - for a really long time.
There's no need to use custom code for older kernels anymore.
Also closes: #1054104
* d/binfmt-install: do not generate update-binfmt un-registration
postinst script for upgrades from bookworm
* d/control: drop old (pre-bookworm) breaks/replaces/conflicts/provides
* hw-uefi-clear-uefi-vars-buffer-in-uefi_vars_write-CVE-2025-8860.patch
Closes: #1111030, CVE-2025-8860
* d/control: remove long-forgotten qemu-system-common dependency on acl
(for #762192) which is not needed
* remove qemu-user-static package (& qemu-debootstrap)
remove links to qemu-user with -static suffix, together with
obsolete qemu-debootstrap command.
qemu-user-static is now provided by qemu-user-binfmt package.
Also closes: #1107554
* d/gbp.conf: switch to master branch
Checksums-Sha1:
1bb8a8351a89be7b6462648ec884396436fbcd25 12242 qemu_10.0.3+ds-4.dsc
60c7153730572ca0af0c3e665ac0f65df0984695 138988 qemu_10.0.3+ds-4.debian.tar.xz
b8f458f8e0316c5b7b9f4dc9841f9bf0929a505d 7533 qemu_10.0.3+ds-4_source.buildinfo
Checksums-Sha256:
893a9c1abbf3c9559d12dafde02336420208b5af7e3c4732f46bdf3be807188f 12242
qemu_10.0.3+ds-4.dsc
93f8526a06383dfda1acd9b10ce50b3aaf50fe853111cbde951a5dbef1386d11 138988
qemu_10.0.3+ds-4.debian.tar.xz
0cd2bdc65576cc9b568ae19f1d7ba92cad2032a27ce31ad676bed17192fd4ded 7533
qemu_10.0.3+ds-4_source.buildinfo
Files:
98b58f91a6c5f76565e52f0404633aef 12242 otherosfs optional qemu_10.0.3+ds-4.dsc
884fe7b42775f75a59cca75809d9df51 138988 otherosfs optional
qemu_10.0.3+ds-4.debian.tar.xz
b338f8c168e568e99edfeca50a5195fb 7533 otherosfs optional
qemu_10.0.3+ds-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZKoqtTHVaQM2a/75gqpKJDselHgFAminVWgACgkQgqpKJDse
lHhWCA//YDM9MewByf+CKn9SKIzLaNtfGauewn0XSElyuJFflN5gyTmig6G2ul8H
/KhrGzcdFuzS3/2LNhJk4JBgl9bTq8KHwQI+v7SEv/bwIue15GM8CGikJ/OEnn+y
3flMfKdN4eJMjFyXDol/OFofnP6BnMD+UKOmT3pJbLOdyHaIbRoZq343rY+3Og+1
8u/HsDdU2s+vPR3N3E2DK6PN/q2ejtVfWRPnfSHjTM4CzhIXOpdJDXoNtpXa6wPy
WYpsL5PCemnFYoYtC+eSEGTeM64kBB/9J9vK31jSA4HESAU6r75xC/NxB+dFXz8c
QflTqXDF7ON6YTn9pTIccycmyhRhVWLcAJkTQC45J0LsI/kKYMNiyOXefPVRli/F
l7NJSVK2kkDOSaFHrDwKFQR1W1VnjQhoPlLTGmpuDqfZImx30PeuX+D8xNzNXUvW
kQCkQyq80GkDcxdpn2ONsLLdgvsUZsChjNxFOLth8GsSTptH5sLPGr+47ydZ9KbY
ho+VhqW00HanWiz3VKsOLJdljFyqL8NBqlwmpK8FZJTy7D2iu0PylEa/3iqQl4jX
Be74P3MaI7JHutlFfrutxXZjRCKgvYMJOOijPwsa7VjarPhCS6jfZbzZZh1MFGGH
cGWAtyNzgLtmtztnUdw7aksyK58OXXCQh8TpsBs1JzZwjyL22vc=
=X7ur
-----END PGP SIGNATURE-----
pgpTNjObiuhRa.pgp
Description: PGP signature
--- End Message ---
