Operating System:

[Debian]

Published:

07 September 2022

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ESB-2022.4396 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.4396
                           qemu security update
                             7 September 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           qemu
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-35414 CVE-2022-26354 CVE-2021-20257
                   CVE-2021-20221 CVE-2021-20203 CVE-2021-20196
                   CVE-2021-20181 CVE-2021-4207 CVE-2021-4206
                   CVE-2021-3930 CVE-2021-3748 CVE-2021-3713
                   CVE-2021-3682 CVE-2021-3608 CVE-2021-3607
                   CVE-2021-3582 CVE-2021-3527 CVE-2021-3507
                   CVE-2021-3416 CVE-2021-3392 CVE-2020-35505
                   CVE-2020-35504 CVE-2020-29443 CVE-2020-29129
                   CVE-2020-28916 CVE-2020-27821 CVE-2020-27617
                   CVE-2020-25723 CVE-2020-25625 CVE-2020-25624
                   CVE-2020-25085 CVE-2020-25084 CVE-2020-15859
                   CVE-2020-15469 CVE-2020-13253 

Original Bulletin: 
   http://www.debian.org/lts/security/2022/dla-3099

Comment: CVSS (Max):  8.5 CVE-2021-3682 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
         CVSS Source: [Red Hat], SUSE
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3099-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
September 05, 2022                            https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : qemu
Version        : 1:3.1+dfsg-8+deb10u9
CVE ID         : CVE-2020-13253 CVE-2020-15469 CVE-2020-15859 CVE-2020-25084 
                 CVE-2020-25085 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 
                 CVE-2020-27617 CVE-2020-27821 CVE-2020-28916 CVE-2020-29129 
                 CVE-2020-29443 CVE-2020-35504 CVE-2020-35505 CVE-2021-3392 
                 CVE-2021-3416 CVE-2021-3507 CVE-2021-3527 CVE-2021-3582 
                 CVE-2021-3607 CVE-2021-3608 CVE-2021-3682 CVE-2021-3713 
                 CVE-2021-3748 CVE-2021-3930 CVE-2021-4206 CVE-2021-4207 
                 CVE-2021-20181 CVE-2021-20196 CVE-2021-20203 CVE-2021-20221 
                 CVE-2021-20257 CVE-2022-26354 CVE-2022-35414

Multiple security issues were discovered in QEMU, a fast processor
emulator, which could result in denial of service or the the execution
of arbitrary code. 

For Debian 10 buster, these problems have been fixed in version
1:3.1+dfsg-8+deb10u9.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/qemu

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmMVbMUACgkQhj1N8u2c
KO+N6w//XuvPOvMxGsDw3swppKApkL1ECz7NC1L4xRouPyHhh0JZrqwovd5miY6M
mmIq2zeurtEVhf6kkhw1NP3ywrfgURyf7RhpcLN3z/o8aqjLoxL6fIJGzv9URulC
6xDpu1n5mKTI/EX8Zeqy9ks3+HgHNAg9jr5s5TWIYlJLhhlYvrvMbUAeM04V8Zaw
XGXJj0Jx1f83CMFVNXDJ6shBzfUZII3taZIjUFcME5DUFNxaG8492nYisRcwlDNy
Z1AOGbhehZlgbk5t4cX2kOMq/qp9EiAqrBUZgqXtT+zCRBr4hQjK5OOmaq69p4N5
RsS8MA3/Rtvt9b3xuNXnDy28O50yvlQJK9GJa/p8KM894pn2fMTu3pxFVAn4xIsp
umcx4LbxSYaBDygtK81xhxK3ODfakR8YGmXUffeRasPw/mFncdN9kTxCvuSgdoUO
rgqcmJ+D38JAzV+ALjEnMZkrGYzscM6GzKHA5DR37qmdG/JNNKpqy3TRWBpNY4ZL
QYmAIW5MvCx3SEgZBeAkUwPpfam6d3DwKm7RUvmvL5ul/UDcyowYRCpZGwgtyL57
8N3yu0V9IA0L04yuiUcd9RE3qXGsFQU7YvzpB7hEj2WQIV2i9LDb+5D2qnUJmdCR
+dCiSgxf0qi14Rbhv9gZ4/jCAC4fWHHGuyCO4ySyLVmDgtgBpQo=
=EhD5
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYxgWRMkNZI30y1K9AQi7JA/+I/Ic61o/Wo8+7JuPPRBsZVfdv7utTrIJ
MSDUHBBBUdTTR2NmX51AMUEaArGNQgmfES92Z+OczdFLhiDZb41Am0+4MoWuirh6
Ab59zc0AVXvbJok8AgA8f4ePRbyMS45Y9Qnj1VHRBCfLYtiOp/grvHZu84kyjKNW
Mim/gQWuEVQkwVfIzgQ0N5tHVw70maQewLiFUWTr0Ubcz3+0R2xXJcnkvDSJ5cCG
LgCdSpmKUqVEhkIjxtjGf4VD6xRWZcnyiaJbGOzdOnsoGDuEl4Hbvtz8EteLgobE
R61+1SuUEWhZqijbMlfA1muRW4xP4gtmaC3AQKJdRkC91lLozwtdWqV5T+5lIyCW
WXhFj3fPH/PiT/zJXrk956QYLFPtBxOCZNfEnfHoKXnNrcHbxHWyHm2V1XIZn9pb
atw4IaE6KooJXcpCAT5q514vN3IHngCixc9KtkJ8m8GO+xFGzr8acyYdx7LG9nAl
LYKWjWQnWBrSYKUXRUAwK+DNm5pLaaQLkdXsGyu9dgMilVsrhjBISNs7/JBNP1pk
TTTZ57cAxSS7DlcDFnxT98bIQDgc02dt/Z9lHltEWFPgN1O63T19tfzDR22RygKG
nN93Xt+rLEqt/8cNArfZRX/ocWRKljSbtic2x7q8H6+14NrnLeXRgtiajdebgdtQ
MrXe2kN3+zQ=
=OWVg
-----END PGP SIGNATURE-----