I don't know what Ubuntu's position is, but note that for upstream QEMU this is *not* a security issue. The security policy https://www.qemu.org/docs/master/system/security.html is clear that we only consider the virtualization accelerators like KVM or HVF to be in scope, and TCG is out of scope. For us this is "just another TCG bug" and we fixed it as such.
-- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/2138885 Title: iret security issue Status in QEMU: Fix Released Status in qemu package in Ubuntu: Fix Released Status in qemu source package in Trusty: New Status in qemu source package in Xenial: New Status in qemu source package in Bionic: New Status in qemu source package in Focal: New Status in qemu source package in Jammy: New Status in qemu source package in Noble: New Status in qemu source package in Questing: Fix Released Status in qemu source package in Resolute: Fix Released Bug description: iret security issue. See here: https://kqx.io/post/qemu-nday/ Upstream fix: https://gitlab.com/qemu-project/qemu/-/commit/0bd385e7e3c33e987d7a8879918be6df7b111ac4 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/2138885/+subscriptions
