Security Information / 2017 / Security Information -- DSA-3920-1 qemu

Debian Security Advisory

DSA-3920-1 qemu -- security update

Date Reported:

25 Jul 2017

Affected Packages:

qemu

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2017-9310, CVE-2017-9330, CVE-2017-9373, CVE-2017-9374, CVE-2017-10664, CVE-2017-10911.

More information:

Multiple vulnerabilities were found in qemu, a fast processor emulator:

• CVE-2017-9310

  Denial of service via infinite loop in e1000e NIC emulation.

• CVE-2017-9330

  Denial of service via infinite loop in USB OHCI emulation.

• CVE-2017-9373

  Denial of service via memory leak in IDE AHCI emulation.

• CVE-2017-9374

  Denial of service via memory leak in USB EHCI emulation.

• CVE-2017-10664

  Denial of service in qemu-nbd server.

• CVE-2017-10911

  Information leak in Xen blkif response handling.

For the oldstable distribution (jessie), a separate DSA will be issued.

For the stable distribution (stretch), these problems have been fixed in version 1:2.8+dfsg-6+deb9u1.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your qemu packages.