[Secure-testing-commits] r47421 - data/CVE

Hugo Lefeuvre hle at moszumanska.debian.org
Sun Dec 25 10:24:00 UTC 2016 

Author: hle
Date: 2016-12-25 10:24:00 +0000 (Sun, 25 Dec 2016)
New Revision: 47421

Modified:
   data/CVE/list
Log:
CVE triage for qemu and qemu-kvm in wheezy.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-12-25 10:00:16 UTC (rev 47420)
+++ data/CVE/list	2016-12-25 10:24:00 UTC (rev 47421)
@@ -1925,7 +1925,9 @@
 CVE-2016-9916 [9pfs: add cleanup operation for proxy backend driver]
 	RESERVED
 	- qemu <unfixed> (bug #847496)
+	[wheezy] - qemu <no-dsa> (proxy driver not included during compilation)
 	- qemu-kvm <removed>
+	[wheezy] - qemu-kvm <no-dsa> (proxy driver not included during compilation)
 	- xen 4.4.0-1
 	[wheezy] - xen <not-affected> (Vulnerable code not present)
 	NOTE: Xen switched to qemu-system in 4.4.0-1
@@ -1933,10 +1935,13 @@
 	NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=898ae90a44551d25b8e956fd87372d303c82fe68 (v2.8.0-rc2)
 	NOTE: Proxy filesystem driver introduced in: http://git.qemu.org/?p=qemu.git;a=commit;h=4c793dda22213a7aba8e4d9a814e8f368a5f8bf7 (v1.0-rc0)
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/11
+        NOTE: proxy driver not included during compilation in wheezy, see debian-lts ML: https://lists.debian.org/debian-lts/2016/12/msg00136.html
 CVE-2016-9915 [9pfs: add cleanup operation for handle backend driver]
 	RESERVED
 	- qemu <unfixed> (bug #847496)
+	[wheezy] - qemu <no-dsa> (handle driver not included during compilation)
 	- qemu-kvm <removed>
+	[wheezy] - qemu-kvm <no-dsa> (handle driver not included during compilation)
 	- xen 4.4.0-1
 	[wheezy] - xen <not-affected> (Vulnerable code not present)
 	NOTE: Xen switched to qemu-system in 4.4.0-1
@@ -1944,16 +1949,21 @@
 	NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=971f406b77a6eb84e0ad27dcc416b663765aee30 (v2.8.0-rc2)
 	NOTE: handle based fs driver introduced in: http://git.qemu.org/?p=qemu.git;a=commit;h=5f5422258e1f50f871bafcc5bfb2b498f414a310 (v1.0-rc0)
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/11
+        NOTE: proxy driver not included during compilation in wheezy, see debian-lts ML: https://lists.debian.org/debian-lts/2016/12/msg00136.html
 CVE-2016-9914 [9pfs: add cleanup operation in FileOperations]
 	RESERVED
 	- qemu <unfixed> (bug #847496)
+	[wheezy] - qemu <no-dsa> (proxy and handle drivers not included during compilation)
 	- qemu-kvm <removed>
+	[wheezy] - qemu-kvm <no-dsa> (proxy and handle drivers not included during compilation)
 	- xen 4.4.0-1
 	[wheezy] - xen <not-affected> (Vulnerable code not present)
 	NOTE: Xen switched to qemu-system in 4.4.0-1
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg03278.html
 	NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=702dbcc274e2ca43be20ba64c758c0ca57dab91d (v2.8.0-rc2)
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/11
+        NOTE: proxy and handle drivers not included during compilation in wheezy, so the cleanup function is never implemented:
+        NOTE: see debian-lts ML: https://lists.debian.org/debian-lts/2016/12/msg00136.html
 CVE-2016-9913 [9pfs: adjust the order of resource cleanup in device unrealize]
 	RESERVED
 	- qemu <unfixed> (bug #847496)

More information about the Secure-testing-commits mailing list