Your message dated Thu, 01 Jan 2026 22:02:22 +0000
with message-id <[email protected]>
and subject line Bug#1117153: fixed in qemu 1:10.0.7+ds-0+deb13u1
has caused the Debian Bug report #1117153,
regarding qemu: CVE-2025-11234 (VNC Websocket: use-after-free when websocket is
closed early)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1117153: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117153
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: qemu
Version: 1:10.1.0+ds-5
Severity: important
Tags: security upstream
Forwarded:
https://lists.nongnu.org/archive/html/qemu-devel/2025-09/msg06566.html
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for qemu.
CVE-2025-11234[0]:
| A flaw was found in QEMU. If the QIOChannelWebsock object is freed
| while it is waiting to complete a handshake, a GSource is leaked.
| This can lead to the callback firing later on and triggering a use-
| after-free in the use of the channel. This can be abused by a
| malicious client with network access to the VNC WebSocket port to
| cause a denial of service during the WebSocket handshake prior to
| the VNC client authentication.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-11234
https://www.cve.org/CVERecord?id=CVE-2025-11234
[1] https://lists.nongnu.org/archive/html/qemu-devel/2025-09/msg06566.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: qemu
Source-Version: 1:10.0.7+ds-0+deb13u1
Done: Michael Tokarev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Dec 2025 10:01:50 +0300
Source: qemu
Architecture: source
Version: 1:10.0.7+ds-0+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian QEMU Team <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1035676 1117153 1119917 1120146
Changes:
qemu (1:10.0.7+ds-0+deb13u1) trixie; urgency=medium
.
* 10.0.7 upstream stable/bugfix release:
- Update version for 10.0.7 release
- kvm: Fix kvm_vm_ioctl() and kvm_device_ioctl() return value
- docs/devel: Update URL for make-pullreq script
- target/arm: Fix assert on BRA.
- hw/aspeed/{xdma, rtc, sdhci}: Fix endianness to DEVICE_LITTLE_ENDIAN
- hw/core/machine: Provide a description for aux-ram-share property
- hw/pci: Make msix_init take a uint32_t for nentries
- block/io_uring: avoid potentially getting stuck after resubmit
at the end of ioq_submit()
- block-backend: Fix race when resuming queued requests
- ui/vnc: Fix qemu abort when query vnc info
- chardev/char-pty: Do not ignore chr_write() failures
- hw/display/exynos4210_fimd: Account for zero length
in fimd_update_memory_section()
- hw/arm/armv7m: Disable reentrancy guard for v7m_sysreg_ns_ops MRs
- hw/arm/aspeed: Fix missing SPI IRQ connection causing
DMA interrupt failure
- migration: Fix transition to COLO state from precopy
- qmp: Fix a typo for a USO feature
- MAINTAINERS: Add functional tests that are not covered yet
- tests/functional: Remove unnecessary import statements
- tests/functional: Remove semicolons at the end of lines
- Remove the remainders of the Avocado tests
- docs/devel/testing: Dissolve the ci-definitions.rst.inc file
- gitlab-ci: Update QEMU_JOB_AVOCADO and QEMU_CI_AVOCADO_TESTING
- tests/functional: Convert the SMMU test to the functional framework
- tests/functional: Use the tuxrun kernel for the aarch64 replay test
- tests/functional: Use the tuxrun kernel for the x86 replay test
- tests/avocado: Remove the boot_linux.py tests
- tests/functional: Convert the 64-bit big endian Wheezy mips test
- tests/functional: Convert the 64-bit little endian Wheezy mips test
- tests/functional: Convert the 32-bit little endian Wheezy mips test
- tests/functional: Convert the 32-bit big endian Wheezy mips test
- tests/avocado: Remove the LinuxKernelTest class
- tests/functional: Convert the i386 replay avocado test
- tests/functional: Convert reverse_debugging tests to the
functional framework
- tests/functional: Move the check for the parameters from avocado
to functional
- gitlab-ci: Remove the avocado tests from the CI pipelines
- tests/functional/test_vnc: skip test if no crypto backend available
- target/i386: fix stack size when delivering real mode interrupts
- target/i386: svm: fix sign extension of exit code
- target/i386/tcg: validate segment registers
- target/i386: Mark VPERMILPS as not valid with prefix 0
- hw/southbridge/lasi: Correct LasiState parent
- hw/dma/zynq-devcfg: Fix register memory
- tests/functional: handle URLError when fetching assets
- tests/functional: fix formatting of exception args
- block/io: Take reqs_lock for tracked_requests
- nvme: Fix coroutine waking
- nvme: Kick and check completions in BDS context
- curl: Fix coroutine waking
- nfs: Run co BH CB in the coroutine’s AioContext
- rbd: Run co BH CB in the coroutine’s AioContext
- tests: move test_virt_gpu to share.linaro.org
- tests: move test_kvm_xen to share.linaro.org
- tests: move test_netdev_ethtool to share.linaro.org
- tests: move test_virt assets to share.linaro.org
- tests: move test_xen assets to share.linaro.org
- block: add test non-active commit with zeroed data
- block: allow commit to unmap zero blocks
- block: refactor error handling of commit_iteration
- block: move commit_run loop to separate function
- block: get type of block allocation in commit_run
- hw/misc/npcm_clk: Don't divide by zero when calculating frequency
- hw/display/xlnx_dp: Don't abort for unsupported graphics formats
- hw/display/xlnx_dp.c: Don't abort on AUX FIFO overrun/underrun
- net: pad packets to minimum length in qemu_receive_packet()
Closes: #1119917, CVE-2025-12464 (buffer overflow in e1000_receive_iov)
- hw/net/e1000e_core: Adjust
e1000e_write_payload_frag_to_rx_buffers() assert
- hw/net/e1000e_core: Correct rx oversize packet checks
- hw/net/e1000e_core: Don't advance desc_offset for NULL buffer
RX descriptors
- qio: Protect NetListener callback with mutex
- qio: Remember context of qio_net_listener_set_client_func_full
- qio: Unwatch before notify in QIONetListener
- qio: Add trace points to net_listener
- tests/qemu-iotest: fix iotest 024 with qed images
- qemu-img rebase: don't exceed IO_BUF_SIZE in one operation
- qemu-img: Fix amend option parse error handling
- tests/qtest/bios-tables-test: Update DSDT blobs after GPEX _DSM change
- hw/pci-host/gpex-acpi: Fix _DSM function 0 support return value
- tests/qtest/bios-tables-test: Prepare for _DSM change in the DSDT table
- vhost-user: fix shared object lookup handler logic
- target/x86: Correctly handle invalid 0x0f 0xc7 0xxx insns
- hostmem/shm: Allow shm memory backend serve as shared memory for coco-VMs
- tests/tcg/s390x: Test SET CLOCK COMPARATOR
- target/s390x: Use address generation for register branch targets
- target/s390x: Fix missing clock-comparator interrupts after reset
- target/s390x: Fix missing interrupts for small CKC values
- target/microblaze: Handle signed division overflows
- target/microblaze: div: Break out raise_divzero()
- target/microblaze: Remove unused arg from check_divz()
- gdbstub: Fix %s formatting
- block/curl.c: Fix CURLOPT_VERBOSE parameter type
- block: fix luks 'amend' when run in coroutine
- block: remove 'detached-header' option from opts after use
- i386/kvm/cpu: Init SMM cpu address space for hotplugged CPUs
- hw/i386/pc: Avoid overlap between CXL window and PCI 64bit BARs
in QEMU 10.0.x
- target/i386: clear CPU_INTERRUPT_SIPI for all accelerators
- linux-user: permit sendto() with NULL buf and 0 len
- linux-user: Use correct type for FIBMAP and FIGETBSZ emulation
- qtest/am53c974-test: add additional test for cmdfifo overflow
- esp.c: fix esp_cdb_ready() FIFO wraparound limit calculation
- hw/hppa: Fix interrupt of LASI parallel port
- nw/nvram/ds1225y: Fix nvram MemoryRegion owner
- target/hppa: Set FPCR exception flag bits for non-trapped exceptions
- hw/scsi: avoid deadlock upon TMF request cancelling with VirtIO
- crypto: stop requiring "key encipherment" usage in x509 certs
- io: fix use after free in websocket handshake code
Closes: #1117153, CVE-2025-11234 (UAF in websocket handshake code)
- io: move websock resource release to close method
- io: release active GSource in TLS channel finalizer
- target/riscv: fix riscv_cpu_sirq_pending() mask
- target/riscv/kvm: fix env->priv setting in reset_regs_csr()
- target/riscv/kvm: add scounteren CSR
- target/riscv/kvm: read/write KVM regs via env size
- target/riscv/kvm: add senvcfg CSR
- aplic: fix mask for smsiaddrcfgh
- hw/riscv: Correct mmu-type property of sifive_u harts in device tree
- target/arm: Fix reads of CNTFRQ_EL0 in linux-user mode
- hw/ppc/e500: Check for compatible CPU type instead of
aborting ungracefully
- ui/gtk-gl-area: Remove extra draw call in refresh
- tests/tcg/multiarch/linux/linux-test: Don't try to test atime update
* linux-user-use-correct-type-for-FIBMAP-and-FIGETBSZ.patch:
remove, applied upstream
* d/control: qemu-system-xen: add the forgotten ipxe-qemu dependency
qemu-system binaries require pxe boot roms for the network adaptors.
When splitting qemu-system-xen into its own package, this dependency
has been forgotten initally, but has been enabled for bookworm (#1035676).
However, this change were lost when uploading the next version of qemu
aimed for trixie. So trixie has this issue too, despite it's been fixed
in bookworm already. (Closes: #1035676, #1120146)
Checksums-Sha1:
7e05f302751d96a8ff789b5c85efe332d1d987c6 12553 qemu_10.0.7+ds-0+deb13u1.dsc
1ea615b058aed39fcb0dc7d47a993a1a7ccb637b 39963708 qemu_10.0.7+ds.orig.tar.xz
9179eead3995992b34c232ca5e714c54721e47d4 143132
qemu_10.0.7+ds-0+deb13u1.debian.tar.xz
b2fd1b4832cafa3aa04a3f0530a3c09a8f61e593 7785
qemu_10.0.7+ds-0+deb13u1_source.buildinfo
Checksums-Sha256:
8887c9340e07cacdf3275831b9e4c96419ea65ed88aa6087c43724dcc3cd9617 12553
qemu_10.0.7+ds-0+deb13u1.dsc
920a06f539f7527bbddfa30d32ddc67e2b4b8a094fedeb07bfb16c53d4c4db7c 39963708
qemu_10.0.7+ds.orig.tar.xz
1f5bb8fe98dbbf8c3f529c272640e989e430bd037d48c1ff3b21772266cf85a8 143132
qemu_10.0.7+ds-0+deb13u1.debian.tar.xz
5dde6b9e20db5b7e2c03d7a81601477c0d6e187bdd6971f39fedf1002a96a7f1 7785
qemu_10.0.7+ds-0+deb13u1_source.buildinfo
Files:
69a6c4171853bb45c255872d34f70eff 12553 otherosfs optional
qemu_10.0.7+ds-0+deb13u1.dsc
a96651fd6d05d95bb18ecec3b9411159 39963708 otherosfs optional
qemu_10.0.7+ds.orig.tar.xz
d9ab5506290dff7bcd3a2cc887819598 143132 otherosfs optional
qemu_10.0.7+ds-0+deb13u1.debian.tar.xz
0dabc6a2f3f0faf2944f23f8fc203d67 7785 otherosfs optional
qemu_10.0.7+ds-0+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJpSpViCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmc+rnIVBhxuB3/KSblK1C6PTsGEHEs0eOTit/eG7dlv
ixYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AACfBxAAnmK0B0FeNv7p2S5UM9NaSVoJ
lvWIJ+kizLc0Rxyr+VIgn9n6Loz1H0Su7204s6R7Za5RCV+y52bMDAPDc44i9AX4
YGAyCpONMnLs71oooUFcLWXu8xpRgY752CF83zKUEetOa6jjbAmUJXwdOoQzH7BB
q2wTQwVQUypKtiJqDYh6iYf2LAuBAOr3Rok3nMjcwVwgxws++anB3IVVWFbJHQ15
spybo8Pn9A9yfwyDtQyrkcE2T4mzo+jn1e6NgiiY81YNU0MfMTu07Ojd5WlgyRup
lhcbYjW6UGAV4JTXlnPpq2Y1OB7MJtwM/20tzs7NDKZWt149L4zG74y0tkATafzq
tHh5CYvSo/T5BuymSR8OqQBMmZoDAOIsGocNMAU3daub/FhCc7X/WfcjPl3/6lSX
2W20JtzZMvQ5hTB/E5a6iCrDYJFvM2udGblWdRjMG5PZ9dCg1TSxgwcOLbTp1IS3
kV6q8dg6JCOwvL0YbiIXB0D9zT5NIlKY08356UTmsAaC5bO2dbuu7BH8p5S7w6Xp
kiuhhzP0ZdI7NqGSfozaUtbB84qvtjKxyQobxa800jQZVIboeM+EYBLWp9vauKy+
9TQ+vWhU/HcUeDepQQydCjiGL2NSpVmv5FFdPix56oRp1OTKKMeiCpe97WpAb5Ox
pW+mtqQTTxBnMxg4fFw=
=5bDr
-----END PGP SIGNATURE-----
pgpCQ5Q9xA2jh.pgp
Description: PGP signature
--- End Message ---
