Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0614 qemu security update 19 February 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: qemu Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-20221 CVE-2021-20181 CVE-2020-29443 CVE-2020-29130 CVE-2020-28916 CVE-2020-25084 CVE-2020-15859 CVE-2020-15469 CVE-2020-2891 Reference: ESB-2021.0589 ESB-2021.0552 ESB-2021.0430 Original Bulletin: https://lists.debian.org/debian-lts-announce/2021/02/msg00024.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -------------------------------------------------------------------------- Debian LTS Advisory DLA-2560-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler February 18, 2021 https://wiki.debian.org/LTS - -------------------------------------------------------------------------- Package : qemu Version : 1:2.8+dfsg-6+deb9u13 CVE ID : CVE-2020-15469 CVE-2020-15859 CVE-2020-25084 CVE-2020-2891= 6=20 CVE-2020-29130 CVE-2020-29443 CVE-2021-20181 CVE-2021-20221 Debian Bug : 970253 965978 970539 974687 976388 Several vulnerabilities were discovered in QEMU, a fast processor emulator (notably used in KVM and Xen HVM virtualization). An attacker could trigger a denial-of-service (DoS), information leak, and possibly execute arbitrary code with the privileges of the QEMU process on the host. CVE-2020-15469 A MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference. CVE-2020-15859 QEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address. CVE-2020-25084 QEMU has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. CVE-2020-28916 hw/net/e1000e_core.c has an infinite loop via an RX descriptor with a NULL buffer address. CVE-2020-29130 slirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. CVE-2020-29443 ide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read access because a buffer index is not validated. CVE-2021-20181 9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege escalation vulnerability. CVE-2021-20221 aarch64: GIC: out-of-bound heap buffer access via an interrupt ID field. For Debian 9 stretch, these problems have been fixed in version 1:2.8+dfsg-6+deb9u13. We recommend that you upgrade your qemu packages. For the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYC7/weNLKJtyKPYoAQjlJQ/+Oao25ZBYOAy9bNb/rd8zGBBeXDNAwy6y WlmmIKNqscqMieyEOUdPPYgPDDMeORBAph7hi+nzszVJUORkuvbjMGyO6B3hJS5Q MxyUaPlDuYuA8XERwucSqVMNmWLPFaLYc8/uWBvzafYdEBxwB3q8ngpTbkekcZef xH+ET+AldoE3ksZdA0R0z+JaLm35mI+yZAdGQSmqvj9iPBLhYA8oZ6UgTYBdwYik AYxVsMetFPR9pueCnB0PsNrll9OSLrYDdMvMdWnJoWbHAgiyRqROnql9annTp33L DdN/nNj5Fyec6HPFPVcu5KcMLlFlmx4p+E6i5VKq7PoUp22VTbWyQs5+/MCWbPbQ uQq/2hsRhHQqeJWTAvCIgK6hRy7gGjzRVJBcu837fQrySwR6Ox+EIIG2cF0KuqT0 hctZL7JhbYo3uAcXtEGnq+vIkndk6VwPAO1fEBWspYrt188hD7wavc82HYG3wnls FegyXF8dLKS0tmuMrLK8iR8Ty2zwxv7unY11EmJOMUfpiD6HcAb9jX2nccmhC8cZ 3tuwADxn0cEviXBR2ivN5DBr9BGQe+9v3VBA2Q1cwEiQFfkba1XpCOZMKokSKda8 eBX+dwnXnOQVGkexIX+b5PVDwDpmw6yzbX0je1ZfYlT/wiyGauxmMdFTRaaQjfFn pgTtd6sPE+E= =Bpyg -----END PGP SIGNATURE-----