Operating System:

[Debian]

Published:

07 September 2020

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ESB-2020.3048 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3048
                           qemu security update
                             7 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           qemu
Publisher:         Debian
Operating System:  Debian GNU/Linux 10
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-16092 CVE-2020-15863 CVE-2020-14364
                   CVE-2020-12829  

Reference:         ESB-2020.2866
                   ESB-2020.2546
                   ESB-2020.2544

Original Bulletin: 
   http://www.debian.org/security/2020/dsa-4760

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4760-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 06, 2020                    https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : qemu
CVE ID         : CVE-2020-12829 CVE-2020-14364 CVE-2020-15863 CVE-2020-16092
Debian Bug     : 961451 968947

Multiple security issues were discovered in QEMU, a fast processor
emulator:

CVE-2020-12829

    An integer overflow in the sm501 display device may result in denial of
    service.

CVE-2020-14364

    An out-of-bands write in the USB emulation code may result in
    guest-to-host code execution.

CVE-2020-15863

    A buffer overflow in the XGMAC network device may result in denial of
    service or the execution of arbitrary code.

CVE-2020-16092

    A triggerable assert in the e1000e and vmxnet3 devices may result in
    denial of service.

For the stable distribution (buster), these problems have been fixed in
version 1:3.1+dfsg-8+deb10u8.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/qemu

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9VIooACgkQEMKTtsN8
TjZAOA//Xe3KBPOakFNXSaS0qiArNsXZ7zQBajuRjz3tHB4qhgDSoImiPqVsJo1g
achuERnB8+2nW2MmhwHw8TxpX/Tex+8eUrvdNC97v5sSrXhRTsf/emq4EMQvUeUh
KL7oix0IheTDWjgqHEpG0A8eHXoL10mJ7Gel+tCFCQLqXwZipXDaAxifmtjCDIjS
KUWCKWCTI/ny2yNaER+fZX6hwxt6c/SwLSuuvpXw9//bzLwvF6Q71qBHyhy3xPbq
5n/r7qtg0l/vEC7x6c7+xlaATPHDjjDv51flMB40hWHgR5DUsASiXidHiVaxVk65
wTmW7DsB0pUyR/5DG8QAWw6sHlIwUgjc/5PmLty9lIzx7BKL9hQhpOIAGVhYaTLC
n6NCRsH3thrQJerzZVmgAxVxmp46cmt+W7mc7aOwDOVmnXzCST1POTdYtxATtEdy
i54wk6i7OK7J59uMnl+t6Nl1ad+2jrCpSGG8udm2vfmvggGSWvvB5Wu+5LC3+ax4
Ambv1iAVrsJB4xDqWh+4NJ+xdc5d+mAPQepzpt6wWRiCbk5Ku0Y6TXKHLX30ZCju
7buCISmYUlQtJ82MXpyYcSRbxE6sh8avo/5sdQFneiLPuRVuOkubNlyO0xWwizOg
Lb3xZM7z/dJDpTzMV7O/eIxbrZjHVn1NmaXuET0mn+lydr829oM=
=rZVX
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX1WW5uNLKJtyKPYoAQjlDxAAjdLK9jzXFey7FcPOWphI7Gz8U3RhTwiS
m3NpPPz5Y1u1/07MsCQ5+tyk30Ee10WmlzSfFnXrpR/fBupPTXX4jY6jnklrKFPG
DRM+ylOcfmRZihiXcYs4lEkds8x8fb+jSgjFN3tJj7l2Ji84mA+MAumAcoqDvv4j
47iJNUoQkEzS3HSrpHuZzBcU55kmL83mfJH/Qlm/017XADDk26XWkqJ3KK8xmAKN
7e2BmcIDUDDYc9EQ9Sqb3S3ZZ/J307DhfMBi/M78duAHQr9cG8y2DMESiBTzF9Uo
QtscZq3rwF5AjIJiih/nW+MIzNob2HjMTMIICTsLwbLJ/ClTc07FcLuD1KOZHo3W
IiMcLDo9iV1kscd51lMaGI1oTzae3SqNLcLJOIdDR/xkICPKF8QEnJgwcTp4VWq2
T4GFmz6Xhj53X+CIKOfXy50bo8JUD/vB47lyaPLMh6L/gtHoRWgrgQCuXc0VPP4G
ETbc30KZ8rlKfOUp9HZin1x+bogzmmfmnOIQBBBoqIOwxUNmffmu2PH6zHUXres2
sMIn3WfK+9theRzXuzhn7Nm0hX0aBNByxyCG6+g8+UHFONAHfw2rN0ZyR8BzX/Ge
ii8cQwFhZz9LsRqb54gZ6Kj6xiOib/DlUu5ollrJT/s9rHX2Dj6EggAjFPU6eJ8w
Ol1F/+oXw24=
=AbxG
-----END PGP SIGNATURE-----