Summary: | <app-emulation/qemu-2.11.0: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | qemu+disabled |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=647338 | ||
Whiteboard: | B3 [glsa+ cve] | ||
Package list: |
app-emulation/qemu-2.11.0
|
Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2018-02-06 18:31:11 UTC
Security, CVE-2018-5748 is a libvirt issue, it has nothing to do with qemu. Please open a new security bug for this one. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=725631c3eee62d147ea634c969ab90d1c70f5612 commit 725631c3eee62d147ea634c969ab90d1c70f5612 Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2018-02-11 20:16:02 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2018-02-11 20:27:01 +0000 app-emulation/qemu: version bump to 2.11.0, important security fixes - Added slot operator for libnfs - Added patch for glibc-2.27 compatibility - Added patch for CVE-2017-16845 - Backported upstream msr / spec ctrl patches: 6cfbc54e89 i386: Add EPYC-IBPB CPU model ac96c41354 i386: Add new -IBRS versions of Intel CPU models 1b3420e1c4 i386: Add FEAT_8000_0008_EBX CPUID feature word a2381f0934 i386: Add spec-ctrl CPUID bit a33a2cfe2f i386: Add support for SPEC_CTRL MSR - CVEs addressed by bump: CVE-2017-17381 CVE-2017-18030 CVE-2017-18043 - CVEs addressed by patchset: CVE-2017-15124 CVE-2017-16845 CVE-2018-5683 - CVE-2018-5748 is a libvirt vulnerability, not a qemu issue... Bug: https://bugs.gentoo.org/638506 Bug: https://bugs.gentoo.org/643432 Bug: https://bugs.gentoo.org/646814 Closes: https://bugs.gentoo.org/641100 Closes: https://bugs.gentoo.org/646568 Closes: https://bugs.gentoo.org/646710 Package-Manager: Portage-2.3.24, Repoman-2.3.6 app-emulation/qemu/Manifest | 2 + .../qemu/files/qemu-2.11.0-glibc-2.27.patch | 54 ++ app-emulation/qemu/qemu-2.11.0.ebuild | 803 +++++++++++++++++++++ 3 files changed, 859 insertions(+)} (In reply to Matthias Maier from comment #1) > Security, > > CVE-2018-5748 is a libvirt issue, it has nothing to do with qemu. Please > open a new security bug for this one. Thank you Matthias, bug 647338 was created for libvirt. Please confirm stabilization call by CCing arches when ready. Arches, please stabilize =app-emulation/qemu-2.11.0 Target-keywords: amd64 x86 amd64 stable x86 stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1930d8b843ff1fd0296c6757b540f0ab5e27044 commit f1930d8b843ff1fd0296c6757b540f0ab5e27044 Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2018-02-12 22:47:34 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2018-02-12 22:48:29 +0000 app-emulation/qemu: drop vulnerable version Bug: https://bugs.gentoo.org/646814 Package-Manager: Portage-2.3.24, Repoman-2.3.6 app-emulation/qemu/Manifest | 1 - .../qemu/files/qemu-2.10.1-CVE-2017-15268.patch | 54 -- .../qemu/files/qemu-2.10.1-CVE-2017-15289.patch | 58 -- app-emulation/qemu/qemu-2.10.1-r1.ebuild | 800 --------------------- 4 files changed, 913 deletions(-)} This issue was resolved and addressed in GLSA 201804-08 at https://security.gentoo.org/glsa/201804-08 by GLSA coordinator Aaron Bauman (b-man). |