Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in QEMU
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in QEMU
ID: USN-2692-1
Distribution: Ubuntu
Plattformen: Ubuntu 14.04 LTS, Ubuntu 15.04
Datum: Di, 28. Juli 2015, 22:36
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5154
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3214
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5158
Applikationen: QEMU

Originalnachricht

 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============3320774009132959133==
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="f2rAr2gXa7RlETCMbPd3Ch68jD8u7cG7Q"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--f2rAr2gXa7RlETCMbPd3Ch68jD8u7cG7Q
Content-Type: text/plain; charset=utf-
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-2692-1
July 28, 2015

qemu vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 15.04
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:
- qemu: Machine emulator and virtualizer

Details:

Matt Tait discovered that QEMU incorrectly handled PIT emulation. In a
non-default configuration, a malicious guest could use this issue to cause
a denial of service, or possibly execute arbitrary code on the host as the
user running the QEMU process. In the default installation, when QEMU is
used with libvirt, attackers would be isolated by the libvirt AppArmor
profile. (CVE-2015-3214)

Kevin Wolf discovered that QEMU incorrectly handled processing ATAPI
commands. A malicious guest could use this issue to cause a denial of
service, or possibly execute arbitrary code on the host as the user running
the QEMU process. In the default installation, when QEMU is used with
libvirt, attackers would be isolated by the libvirt AppArmor profile.
(CVE-2015-5154)

Zhu Donghai discovered that QEMU incorrectly handled the SCSI driver. A
malicious guest could use this issue to cause a denial of service, or
possibly execute arbitrary code on the host as the user running the QEMU
process. In the default installation, when QEMU is used with libvirt,
attackers would be isolated by the libvirt AppArmor profile. This issue
only affected Ubuntu 15.04. (CVE-2015-5158)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.04:
  qemu-system                     1:2.2+dfsg-5expubuntu9.3
  qemu-system-aarch64             1:2.2+dfsg-5expubuntu9.3
  qemu-system-arm                 1:2.2+dfsg-5expubuntu9.3
  qemu-system-mips                1:2.2+dfsg-5expubuntu9.3
  qemu-system-misc                1:2.2+dfsg-5expubuntu9.3
  qemu-system-ppc                 1:2.2+dfsg-5expubuntu9.3
  qemu-system-sparc               1:2.2+dfsg-5expubuntu9.3
  qemu-system-x86                 1:2.2+dfsg-5expubuntu9.3

Ubuntu 14.04 LTS:
  qemu-system                     2.0.0+dfsg-2ubuntu1.15
  qemu-system-aarch64             2.0.0+dfsg-2ubuntu1.15
  qemu-system-arm                 2.0.0+dfsg-2ubuntu1.15
  qemu-system-mips                2.0.0+dfsg-2ubuntu1.15
  qemu-system-misc                2.0.0+dfsg-2ubuntu1.15
  qemu-system-ppc                 2.0.0+dfsg-2ubuntu1.15
  qemu-system-sparc               2.0.0+dfsg-2ubuntu1.15
  qemu-system-x86                 2.0.0+dfsg-2ubuntu1.15

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-2692-1
  CVE-2015-3214, CVE-2015-5154, CVE-2015-5158

Package Information:
  https://launchpad.net/ubuntu/+source/qemu/1:2.2+dfsg-5expubuntu9.3
  https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.15



--f2rAr2gXa7RlETCMbPd3Ch68jD8u7cG7Q
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVt7EFAAoJEGVp2FWnRL6TAOYQAJaudq+tp9MiOFKvV0QiSAbq
mWbxhfJuACwbJ6VkKnmwOvU6oq+k5Wxm38r2MDGDaCA7V5wbUnZWqAyiW2dHsYAo
pwTBGgUAjZYHNKGXQtuk96uPYhrxGb8e7bvv5MAmO/2C3w7VJTLeaJySIMHqWeB5
EMKvFP+yeCG394x/FBua8IB9N5vUjIwuTc2hrIjon5AjWrVAHF0Pcj3s67jWiZrT
FU+AEm5zd2fvBhm/6pTtqyF5PcnQqJC918EuU0MH4FPVqHpkJzt9XHIAi1HJ952Q
AwMOMxOOoBQpaJ7CmE9sugw3K0hWn8Q6FIFkAIUWzkDW7efgWyaDZ7OhrnWt+Inm
tcAV13Agh4COPNcrS0XnJIaXWygXn/NOp1y5c78IyObLRSiJXjgqc65rd35HrrST
qqdo+JnnZmBHKvli+L6FDGf2EqUQDqynLkwrsLlGKYaxazctQVdlB3N887QDibKi
HQANTx4iZF84wCShbMyydBmRnvnyuPKX3Lich8Sd2n1g6KVKt8B77HWu8ZanqaDM
zRvP1R7okuHSlngMI3XufpEScMfh4UrRjCOXUD8T8EonquD5DWBqUJgWaUuKhswK
viSTCB+ehTA2AHYF9+6HVD64gYgiwxNNSMFFLoWQgxFVQNbereG9jUWfI+ven3mU
kFaiKgjSHZqyYXGPgOPy
=txio
-----END PGP SIGNATURE-----

--f2rAr2gXa7RlETCMbPd3Ch68jD8u7cG7Q--


--===============3320774009132959133==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============3320774009132959133==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung