Your message dated Wed, 25 May 2011 20:07:06 +0000
with message-id <e1qpkme-0000nh...@franck.debian.org>
and subject line Bug#627448: fixed in qemu-kvm 0.12.5+dfsg-5+squeeze2
has caused the Debian Bug report #627448,
regarding CVE-2011-1751
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
627448: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627448
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: qemu-kvm
Severity: grave
Tags: security
Hi,
the following security issue was reported in qemu-kvm:
CVE-2011-1751:
http://lists.nongnu.org/archive/html/qemu-devel/2011-05/msg01810.html
http://patchwork.ozlabs.org/patch/96331/
Cheers,
Moritz
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: qemu-kvm
Source-Version: 0.12.5+dfsg-5+squeeze2
We believe that the bug you reported is fixed in the latest version of
qemu-kvm, which is due to be installed in the Debian FTP archive:
kvm_0.12.5+dfsg-5+squeeze2_i386.deb
to main/q/qemu-kvm/kvm_0.12.5+dfsg-5+squeeze2_i386.deb
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze2_i386.deb
to main/q/qemu-kvm/qemu-kvm-dbg_0.12.5+dfsg-5+squeeze2_i386.deb
qemu-kvm_0.12.5+dfsg-5+squeeze2.diff.gz
to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze2.diff.gz
qemu-kvm_0.12.5+dfsg-5+squeeze2.dsc
to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze2.dsc
qemu-kvm_0.12.5+dfsg-5+squeeze2_i386.deb
to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 627...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <m...@tls.msk.ru> (supplier of updated qemu-kvm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 21 May 2011 10:45:52 +0400
Source: qemu-kvm
Binary: qemu-kvm qemu-kvm-dbg kvm
Architecture: source i386
Version: 0.12.5+dfsg-5+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Jan Lübbe <jlue...@debian.org>
Changed-By: Michael Tokarev <m...@tls.msk.ru>
Description:
kvm - dummy transitional package from kvm to qemu-kvm
qemu-kvm - Full virtualization on x86 hardware
qemu-kvm-dbg - Debugging info for qemu-kvm
Closes: 627448
Changes:
qemu-kvm (0.12.5+dfsg-5+squeeze2) stable-security; urgency=high
.
* fix CVE-2011-1751 for 0.12. The actual fix is in
hotplug-4-ignore-pci-hotplug-requests-for-unpluggable-devices-CVE-2011-1751
but that change, while trivial, required 6 more changes to be backported
to 0.12:
o pci-cleanly-backout-of-pci_qdev_init-925fe64ae7
(moving common code to a separate function and using it from another
place to fix a memory leak)
o hotplug-0-acpi_piix4-qdevfy-e8ec0571e1
this qdevifies acpi_piix4 device
o hotplug-1-pci-allow-devices-being-tagged-as-not-hotpluggable-180c22e18b
introduce a "no_hotplug" attribute and check it in common places
to ensure such devices wont be hot-(un)plugged. This needs
the pci-cleanly-backout-of-pci_qdev_init patch mentioned above
o hotplug-2-piix-tag-as-not-hotpluggable-0965f12da6
o hotplug-3-vga-tag-as-not-hotplugable-be92bbf73d
mark certain devices as non-hotpluggable
And finally the actual fix for CVE-2011-1751, which verifies the
no_hotplug attribute when handling hot-unplug request from guest.
(closes: #627448)
Checksums-Sha1:
c3928fa7262371ef4a0b4061a62338a1b7ed9ad7 1688
qemu-kvm_0.12.5+dfsg-5+squeeze2.dsc
2cc46474c3befb09320829b36868f1418569b57e 305179
qemu-kvm_0.12.5+dfsg-5+squeeze2.diff.gz
2739d3ef81bf7fca6d56eef9e6d6b4ae164a4a23 1503126
qemu-kvm_0.12.5+dfsg-5+squeeze2_i386.deb
4bff60472840f5fedf82baa8885d45527a750d3f 2787362
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze2_i386.deb
235b9fac4032b33b8728e15af8959078818181df 12938
kvm_0.12.5+dfsg-5+squeeze2_i386.deb
Checksums-Sha256:
c91738d633be356e4694072eea98a7c0b24257dc2b944083fe220d70baaf5d37 1688
qemu-kvm_0.12.5+dfsg-5+squeeze2.dsc
4aeeb278ea738e2da51f3e0b01dd9804a3c4ec81b6cd21303caf83326ce5a755 305179
qemu-kvm_0.12.5+dfsg-5+squeeze2.diff.gz
608ae97258cbb5bd5ae12ea0bdc4c82654318b9beb453c692e530eabdc3d43a8 1503126
qemu-kvm_0.12.5+dfsg-5+squeeze2_i386.deb
bbfd73baa964342b54af2de0debd6965ec04097bcb7cf443f65483178cf3d1c0 2787362
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze2_i386.deb
09a281ef16543076fd79a9ac0c7f98b2f3049e746e7b0ca7914b559d306316b1 12938
kvm_0.12.5+dfsg-5+squeeze2_i386.deb
Files:
96cb2e91d0df3b8f32fcf626da1b6494 1688 misc optional
qemu-kvm_0.12.5+dfsg-5+squeeze2.dsc
f16806be78c550e9451e9a0729621841 305179 misc optional
qemu-kvm_0.12.5+dfsg-5+squeeze2.diff.gz
2fa9dc17741424d76edf0733fe4a563c 1503126 misc optional
qemu-kvm_0.12.5+dfsg-5+squeeze2_i386.deb
5f88bcfdb592926b0d2de52288ff4a8e 2787362 debug extra
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze2_i386.deb
6a51a60d342b81ad529bc0c28f84a426 12938 oldlibs extra
kvm_0.12.5+dfsg-5+squeeze2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFN2plzn88szT8+ZCYRAum7AJ48XGkrGmyuauB1cjez23gdpSS+XwCcCRzo
mgUiE3gZKRWeJdyOUV7SmDg=
=+bBH
-----END PGP SIGNATURE-----
--- End Message ---
