Your message dated Tue, 16 Dec 2025 08:31:02 +0300
with message-id <[email protected]>
and subject line Re: Bug#1117153: qemu: CVE-2025-11234: VNC Websocket:
use-after-free when websocket is closed early
has caused the Debian Bug report #1117153,
regarding qemu: CVE-2025-11234 (VNC Websocket: use-after-free when websocket is
closed early)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1117153: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117153
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: qemu
Version: 1:10.1.0+ds-5
Severity: important
Tags: security upstream
Forwarded:
https://lists.nongnu.org/archive/html/qemu-devel/2025-09/msg06566.html
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for qemu.
CVE-2025-11234[0]:
| A flaw was found in QEMU. If the QIOChannelWebsock object is freed
| while it is waiting to complete a handshake, a GSource is leaked.
| This can lead to the callback firing later on and triggering a use-
| after-free in the use of the channel. This can be abused by a
| malicious client with network access to the VNC WebSocket port to
| cause a denial of service during the WebSocket handshake prior to
| the VNC client authentication.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-11234
https://www.cve.org/CVERecord?id=CVE-2025-11234
[1] https://lists.nongnu.org/archive/html/qemu-devel/2025-09/msg06566.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Version: 1:10.1.3+ds-1
On Sat, 04 Oct 2025 06:58:50 +0200 Salvatore Bonaccorso
<[email protected]> wrote:
Source: qemu
Version: 1:10.1.0+ds-5
Severity: important
Tags: security upstream
Forwarded:
https://lists.nongnu.org/archive/html/qemu-devel/2025-09/msg06566.html
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for qemu.
CVE-2025-11234[0]:
| A flaw was found in QEMU. If the QIOChannelWebsock object is freed
| while it is waiting to complete a handshake, a GSource is leaked.
| This can lead to the callback firing later on and triggering a use-
| after-free in the use of the channel. This can be abused by a
| malicious client with network access to the VNC WebSocket port to
| cause a denial of service during the WebSocket handshake prior to
| the VNC client authentication.
This is fixed in v10.1.3 stable/bugfix release.
Thanks,
/mjt
--- End Message ---
