Your message dated Mon, 02 May 2011 20:09:16 +0000
with message-id <e1qgzqi-0000qc...@franck.debian.org>
and subject line Bug#611134: fixed in qemu-kvm 0.12.5+dfsg-5+squeeze1
has caused the Debian Bug report #611134,
regarding CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently
disables all authentication
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
611134: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611134
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: kvm
Severity: grave
Tags: security
Please see the following entry in the Red Hat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0011
The impact is not entirely obvious to me? Do I understand it
correctly that a malicious application accessing a KVM
instance could lock out other apps to this virtual machine?
Do you think this needs to be fixed for Squeeze or in a
point update?
Cheers,
Moritz
-- System Information:
Debian Release: 6.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: qemu-kvm
Source-Version: 0.12.5+dfsg-5+squeeze1
We believe that the bug you reported is fixed in the latest version of
qemu-kvm, which is due to be installed in the Debian FTP archive:
kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
to main/q/qemu-kvm/kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze1_amd64.deb
to main/q/qemu-kvm/qemu-kvm-dbg_0.12.5+dfsg-5+squeeze1_amd64.deb
qemu-kvm_0.12.5+dfsg-5+squeeze1.diff.gz
to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze1.diff.gz
qemu-kvm_0.12.5+dfsg-5+squeeze1.dsc
to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze1.dsc
qemu-kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 611...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <m...@tls.msk.ru> (supplier of updated qemu-kvm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 26 Apr 2011 12:04:36 +0400
Source: qemu-kvm
Binary: qemu-kvm qemu-kvm-dbg kvm
Architecture: source amd64
Version: 0.12.5+dfsg-5+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Jan Lübbe <jlue...@debian.org>
Changed-By: Michael Tokarev <m...@tls.msk.ru>
Description:
kvm - dummy transitional package from kvm to qemu-kvm
qemu-kvm - Full virtualization on x86 hardware
qemu-kvm-dbg - Debugging info for qemu-kvm
Closes: 611134 624177
Changes:
qemu-kvm (0.12.5+dfsg-5+squeeze1) stable-security; urgency=high
.
* fix CVE-2011-0011: Setting VNC password to empty string
silently disables all authentication (Closes: #611134)
* fix CVE-2011-1750: virtio-blk: heap buffer overflow caused
by unaligned requests (Closes: #624177)
* urgency is high due to #624177
Checksums-Sha1:
60e865cf028cd22db33017d65e2e446b0dc97392 1696
qemu-kvm_0.12.5+dfsg-5+squeeze1.dsc
565ee0ce6995798b577d23746b1fc4fdbc9e8458 3801867
qemu-kvm_0.12.5+dfsg.orig.tar.gz
67626e00fd3081b6df80fa2d4a8fcdeb42ef52ab 299331
qemu-kvm_0.12.5+dfsg-5+squeeze1.diff.gz
cabca783e1223e1f132354fc7a299004b391ae01 1612670
qemu-kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
1cefb37d4d28ff9d513f0f85df0ac5fa2780b1b9 2817690
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze1_amd64.deb
5d0f41e0ac73db5676c3f153b72c4fcc49bcb3b1 12522
kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
Checksums-Sha256:
b0484bac40d294a099dd1016b436fcabb2689cbdd73b2da688eccef9c1983003 1696
qemu-kvm_0.12.5+dfsg-5+squeeze1.dsc
2f4ff1b7fd30318a19636ed4266a13184c1729b428097763a84ee5b5bf466856 3801867
qemu-kvm_0.12.5+dfsg.orig.tar.gz
203d5a8b34b3f65050053b3915c7ce5f1474383277b440cb81feafaa1ba1da72 299331
qemu-kvm_0.12.5+dfsg-5+squeeze1.diff.gz
f62cb9689d904c3a843794cc1fe8c21947349f7f00fbdc8c6affc910ab190da2 1612670
qemu-kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
fdbe3bab6c18879971915c4dfb2fab5f59a8a2218a64ec25090daf8825349b1b 2817690
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze1_amd64.deb
595a0a3d402cb35195584fa313aa47bb25376760c92c0517703ed6d268b231f1 12522
kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
Files:
85bd61fb21930e014f0790bf51c16862 1696 misc optional
qemu-kvm_0.12.5+dfsg-5+squeeze1.dsc
a28c3bf70d0bb298153764e74d1551f0 3801867 misc optional
qemu-kvm_0.12.5+dfsg.orig.tar.gz
4aff91f02a90bb3d0a78a0a98d7fe4c6 299331 misc optional
qemu-kvm_0.12.5+dfsg-5+squeeze1.diff.gz
ef790ddd5f249fa3818919f1dc661bdb 1612670 misc optional
qemu-kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
047e07f2d32a0b108d83f7b494b3d316 2817690 debug extra
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze1_amd64.deb
66cf4a055e8bf56b9166270d2390f4c2 12522 oldlibs extra
kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk24eRwACgkQXm3vHE4uylr44QCg53EQEUH/VC5F72DzT0NqcL3e
i+MAoKO/7LfNDlqcFh3c1e8Q7WCpxkx0
=08XY
-----END PGP SIGNATURE-----
--- End Message ---
