Security Information / 2017 / Security Information -- DSA-3991-1 qemu

Debian Security Advisory

DSA-3991-1 qemu -- security update

Date Reported:

03 Oct 2017

Affected Packages:

qemu

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2017-9375, CVE-2017-12809, CVE-2017-13672, CVE-2017-13711, CVE-2017-14167.

More information:

Multiple vulnerabilities were found in qemu, a fast processor emulator:

• CVE-2017-9375

  Denial of service via memory leak in USB XHCI emulation.

• CVE-2017-12809

  Denial of service in the CDROM device drive emulation.

• CVE-2017-13672

  Denial of service in VGA display emulation.

• CVE-2017-13711

  Denial of service in SLIRP networking support.

• CVE-2017-14167

  Incorrect validation of multiboot headers could result in the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in version 1:2.8+dfsg-6+deb9u3.

We recommend that you upgrade your qemu packages.