This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============6611767748199945517== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="tL0RGKAxp9PjnKmpBok5mksMjM7GPrh2L"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --tL0RGKAxp9PjnKmpBok5mksMjM7GPrh2L Content-Type: text/plain; charset=utf- Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-2342-1 September 08, 2014
qemu, qemu-kvm vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in QEMU.
Software Description: - qemu: Machine emulator and virtualizer - qemu-kvm: Machine emulator and virtualizer
Details:
Michael S. Tsirkin, Anthony Liguori, and Michael Roth discovered multiple issues with QEMU state loading after migration. An attacker able to modify the state data could use these issues to cause a denial of service, or possibly execute arbitrary code. (CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4526, CVE-2013-4527, CVE-2013-4529, CVE-2013-4530, CVE-2013-4531, CVE-2013-4532, CVE-2013-4533, CVE-2013-4534, CVE-2013-4535, CVE-2013-4536, CVE-2013-4537, CVE-2013-4538, CVE-2013-4539, CVE-2013-4540, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461)
Kevin Wolf, Stefan Hajnoczi, Fam Zheng, Jeff Cody, Stefan Hajnoczi, and others discovered multiple issues in the QEMU block drivers. An attacker able to modify disk images could use these issues to cause a denial of service, or possibly execute arbitrary code. (CVE-2014-0142, CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0146, CVE-2014-0147, CVE-2014-0222, CVE-2014-0223)
It was discovered that QEMU incorrectly handled certain PCIe bus hotplug operations. A malicious guest could use this issue to crash the QEMU host, resulting in a denial of service. (CVE-2014-3471)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 14.04 LTS: qemu-system 2.0.0+dfsg-2ubuntu1.3 qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.3 qemu-system-arm 2.0.0+dfsg-2ubuntu1.3 qemu-system-mips 2.0.0+dfsg-2ubuntu1.3 qemu-system-misc 2.0.0+dfsg-2ubuntu1.3 qemu-system-ppc 2.0.0+dfsg-2ubuntu1.3 qemu-system-sparc 2.0.0+dfsg-2ubuntu1.3 qemu-system-x86 2.0.0+dfsg-2ubuntu1.3
Ubuntu 12.04 LTS: qemu-kvm 1.0+noroms-0ubuntu14.17
Ubuntu 10.04 LTS: qemu-kvm 0.12.3+noroms-0ubuntu9.24
After a standard system update you need to reboot your computer to make all the necessary changes.
References: http://www.ubuntu.com/usn/usn-2342-1 CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4526, CVE-2013-4527, CVE-2013-4529, CVE-2013-4530, CVE-2013-4531, CVE-2013-4532, CVE-2013-4533, CVE-2013-4534, CVE-2013-4535, CVE-2013-4536, CVE-2013-4537, CVE-2013-4538, CVE-2013-4539, CVE-2013-4540, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0142, CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0146, CVE-2014-0147, CVE-2014-0182, CVE-2014-0222, CVE-2014-0223, CVE-2014-3461, CVE-2014-3471
Package Information: https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.3 https://launchpad.net/ubuntu/+source/qemu-kvm/1.0+noroms-0ubuntu14.17 https://launchpad.net/ubuntu/+source/qemu-kvm/0.12.3+noroms-0ubuntu9.24
--tL0RGKAxp9PjnKmpBok5mksMjM7GPrh2L Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBCgAGBQJUDew2AAoJEGVp2FWnRL6T0YcQALha5ujuG1V6u1gwIPCTtDDM OWSQbtWCTB25YYTa3KQfdkg+LhmxywzHZOQWykSwdYCc8W4cXRFe9YIIxP6qzuoK IY8GHy0H7n1nBP+Ptpa681vSb2w6qWElFYxVF9SsB5qAyjPPMvQ4kmNdCbrnaExD TdPYYn7drwGXEzBVnJZhlpo4XrhjFGGBg974YnyO/0WYbitzEQUfP9ymPXGa57k5 rGMF40mLTeBykWmlUHdVw0NraKqIXbsfyQP4YVb2Hu3pGIqwUBN8mtN0AGbve2jC LtT9HFBLHO90DywRW75Eg4PiJKqOnRfuX7X8x3/oPkIiZ5+AtkHKxD3Gf+9Ya+p1 U38rfhxOd5QpEFPxlGt2dNe0PT/kkX8wrMpHFYLLFgytQILEO0UZS9yMN5L4QUV7 04ZxLhpqD5ocDfj/PnwfnwhKkwJN4+QsJfYiNKgiMvcWy53q+aGLhkOM5xrwOpLg 4P7yRBegqxff5dWlZbzojDMNIKcWkEgjEGfzAFH75Xcqa73sSyHxcw0ct1fkNbFH //EdpImjSGlTw7q+7kKuSONDvgWh4J95sHCdplxLt0VM5Bb6+iOJJz0PwTJEGfYs Uyln8pTbnQeYjCgUgvIEY5gJqmppQi5ePui/LvWvkVap1t1vOI0oqx3VobqDRbbV jvGPQcHvakNkj4L6Tpf+ =Or7V -----END PGP SIGNATURE-----
--tL0RGKAxp9PjnKmpBok5mksMjM7GPrh2L--
--===============6611767748199945517== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============6611767748199945517==--
|