drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in QEMU
Name: |
Mehrere Probleme in QEMU |
|
ID: |
USN-2608-1 |
|
Distribution: |
Ubuntu |
|
Plattformen: |
Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 14.10, Ubuntu 15.04 |
|
Datum: |
Mi, 13. Mai 2015, 23:18 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1779
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2756
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456 |
|
Applikationen: |
QEMU |
|
Originalnachricht |
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============6323369745312994665== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="huDfO1s4d5UgPk0Fwc9r0wGQawJ7OSOS6"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --huDfO1s4d5UgPk0Fwc9r0wGQawJ7OSOS6 Content-Type: text/plain; charset=utf- Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-2608-1 May 13, 2015
qemu, qemu-kvm vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04 - Ubuntu 14.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in QEMU.
Software Description: - qemu: Machine emulator and virtualizer - qemu-kvm: Machine emulator and virtualizer
Details:
Jason Geffner discovered that QEMU incorrectly handled the virtual floppy driver. This issue is known as VENOM. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-3456)
Daniel P. Berrange discovered that QEMU incorrectly handled VNC websockets. A remote attacker could use this issue to cause QEMU to consume memory, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-1779)
Jan Beulich discovered that QEMU, when used with Xen, didn't properly restrict access to PCI command registers. A malicious guest could use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-2756)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 15.04: qemu-system 1:2.2+dfsg-5expubuntu9.1 qemu-system-aarch64 1:2.2+dfsg-5expubuntu9.1 qemu-system-arm 1:2.2+dfsg-5expubuntu9.1 qemu-system-mips 1:2.2+dfsg-5expubuntu9.1 qemu-system-misc 1:2.2+dfsg-5expubuntu9.1 qemu-system-ppc 1:2.2+dfsg-5expubuntu9.1 qemu-system-sparc 1:2.2+dfsg-5expubuntu9.1 qemu-system-x86 1:2.2+dfsg-5expubuntu9.1
Ubuntu 14.10: qemu-system 2.1+dfsg-4ubuntu6.6 qemu-system-aarch64 2.1+dfsg-4ubuntu6.6 qemu-system-arm 2.1+dfsg-4ubuntu6.6 qemu-system-mips 2.1+dfsg-4ubuntu6.6 qemu-system-misc 2.1+dfsg-4ubuntu6.6 qemu-system-ppc 2.1+dfsg-4ubuntu6.6 qemu-system-sparc 2.1+dfsg-4ubuntu6.6 qemu-system-x86 2.1+dfsg-4ubuntu6.6
Ubuntu 14.04 LTS: qemu-system 2.0.0+dfsg-2ubuntu1.11 qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.11 qemu-system-arm 2.0.0+dfsg-2ubuntu1.11 qemu-system-mips 2.0.0+dfsg-2ubuntu1.11 qemu-system-misc 2.0.0+dfsg-2ubuntu1.11 qemu-system-ppc 2.0.0+dfsg-2ubuntu1.11 qemu-system-sparc 2.0.0+dfsg-2ubuntu1.11 qemu-system-x86 2.0.0+dfsg-2ubuntu1.11
Ubuntu 12.04 LTS: qemu-kvm 1.0+noroms-0ubuntu14.22
After a standard system update you need to restart all QEMU virtual machines to make all the necessary changes.
References: http://www.ubuntu.com/usn/usn-2608-1 CVE-2015-1779, CVE-2015-2756, CVE-2015-3456
Package Information: https://launchpad.net/ubuntu/+source/qemu/1:2.2+dfsg-5expubuntu9.1 https://launchpad.net/ubuntu/+source/qemu/2.1+dfsg-4ubuntu6.6 https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.11 https://launchpad.net/ubuntu/+source/qemu-kvm/1.0+noroms-0ubuntu14.22
--huDfO1s4d5UgPk0Fwc9r0wGQawJ7OSOS6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBCgAGBQJVU4p3AAoJEGVp2FWnRL6TRrgP/A7/6GoYSQTdFOIHfLrvNOmF +fArShxLlEoPLlnfCZSYSP8ohYve9/25UzOqo9Gz3TATcsZwV9s7LtMCr4V0IXgq 8utL0kcYHAUNIrhREVXKagTYcHbLCvxRCXFNOQkzl5fD5d86dc20leELi97SsixO 5Zi0FRtHUX2q8A67iK3lrodFeN8SzZTa2g/xLsbBe3mir9b7mTugk7y51uADvg58 ylA6wlPUE2QYhEbPJ/V4bDv6Hd0OENXnWy4uMFRlv9+McLpgifnuzY/XNgiyMx8o oSDWU6L6bsqpCoB8F04n6AFbgOPS44LHBzYHKS89ziawJV42hEkvPRU5qh7MlzaX 7PtostQ24951oe0Dh8UbC0rHuJuTaJVcS5AhGo3piYkViRXUl6tioTzOnZ6i/qoi 3Sr6QaKS/gNeQt8r3DCfjTWeyhSdF0kGUPWFPqTFzq3Gpntj3VL+cyPUCZ13Whth 03Nu4ElstnU0bo3WnKUZmmr2Jz922D43eZ9RO1IzSLd8f0PlFeML7DIRHPrT2y0B bwCiyaR6Gw6AeE2D02nt/9ZyGYRcd9AmuAkVbNChw7kOafIsKvRQwRX3Jo3U2lEi NBG+1CqYA839EVqhiTYduifCrckJTqcgOC0YNp7VWUepQY6cVfIZEOrbdiRan1RW uP08dY3etVVXGrAstzCo =k72U -----END PGP SIGNATURE-----
--huDfO1s4d5UgPk0Fwc9r0wGQawJ7OSOS6--
--===============6323369745312994665== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============6323369745312994665==--
|
|
|
|