[Git][security-tracker-team/security-tracker][master] Raise severity of qemu entries after (PV)RDMA support has been enabled

Salvatore Bonaccorso carnil at debian.org
Wed Feb 6 15:33:05 GMT 2019 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6121b0bc by Salvatore Bonaccorso at 2019-02-06T15:28:03Z
Raise severity of qemu entries after (PV)RDMA support has been enabled

Until the change in 1:3.1+dfsg-3, PVRDMA and RDMA support in qemu was
not enabled, so the issues affected the source package but not the
produced binary packages, and as such were classified unimportant. Since
1:3.1+dfsg-3 qemu enables rmda and pvrdma support:

>  qemu (1:3.1+dfsg-3) unstable; urgency=medium
> [...]
>    * enable rdma and pvrdma, build-depend on
>      librdmacm-dev, libibverbs-dev, libibumad-dev
> [...]

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -10465,13 +10465,13 @@ CVE-2018-20217 (A Reachable Assertion issue was discovered in the KDC in MIT Ker
 	NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763
 	NOTE: https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086
 CVE-2018-20216 (QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c ...)
-	- qemu <unfixed> (unimportant)
+	- qemu <unfixed>
 	[stretch] - qemu <not-affected> (Vulnerable code not present)
 	[jessie] - qemu <not-affected> (Vulnerable code not present)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03052.html
 	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=f1e2e38ee0136b7710a2caa347049818afd57a1b
-	NOTE: PVRDMA support not enabled in the binary packages.
+	NOTE: PVRDMA support not enabled in the binary packages until 1:3.1+dfsg-3.
 CVE-2018-20215
 	RESERVED
 CVE-2018-20214
@@ -10531,12 +10531,12 @@ CVE-2018-20193 (Certain Secure Access SA Series SSL VPN products (originally dev
 CVE-2018-20192
 	RESERVED
 CVE-2018-20191 (hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation ...)
-	- qemu <unfixed> (unimportant)
+	- qemu <unfixed>
 	[stretch] - qemu <not-affected> (Vulnerable code not present)
 	[jessie] - qemu <not-affected> (Vulnerable code not present)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03066.html
-	NOTE: PVRDMA support not enabled.
+	NOTE: PVRDMA support not enabled until 1:3.1+dfsg-3.
 CVE-2018-20190 (In LibSass 3.5.5, a NULL Pointer Dereference in the function ...)
 	- libsass <unfixed> (low)
 	[stretch] - libsass <no-dsa> (Minor issue)
@@ -12782,36 +12782,36 @@ CVE-2018-20128 (An issue was discovered in UsualToolCMS v8.0. cmsadmin\a_sqlback
 CVE-2018-20127 (An issue was discovered in zzzphp cms 1.5.8. del_file in ...)
 	NOT-FOR-US: zzzphp cms
 CVE-2018-20126 (hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory ...)
-	- qemu <unfixed> (unimportant)
+	- qemu <unfixed>
 	[stretch] - qemu <not-affected> (Vulnerable code not present)
 	[jessie] - qemu <not-affected> (Vulnerable code not present)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02824.html
 	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=509f57c98e7536905bb4902363d0cba66ce7e089
-	NOTE: PVRDMA support not enabled in the binary packages.
+	NOTE: PVRDMA support not enabled in the binary packages until 1:3.1+dfsg-3.
 CVE-2018-20125 (hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of ...)
-	- qemu <unfixed> (unimportant)
+	- qemu <unfixed>
 	[stretch] - qemu <not-affected> (Vulnerable code not present)
 	[jessie] - qemu <not-affected> (Vulnerable code not present)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02823.html
 	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=2c858ce5da8ae6689c75182b73bc455a291cad41
-	NOTE: PVRDMA support not enabled in the binary packages.
+	NOTE: PVRDMA support not enabled in the binary packages until 1:3.1+dfsg-3.
 CVE-2018-20124 (hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger ...)
-	- qemu <unfixed> (unimportant)
+	- qemu <unfixed>
 	[stretch] - qemu <not-affected> (Vulnerable code not present)
 	[jessie] - qemu <not-affected> (Vulnerable code not present)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02822.html
 	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=0e68373cc2b3a063ce067bc0cc3edaf370752890
-	NOTE: RDMA support not enabled in the binary packages.
+	NOTE: RDMA support not enabled in the binary packages until 1:3.1+dfsg-3.
 CVE-2018-20123 (pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak ...)
 	- qemu 1:3.1+dfsg-3 (unimportant; bug #916442)
 	[stretch] - qemu <not-affected> (Vulnerable code not present)
 	[jessie] - qemu <not-affected> (Vulnerable code not present)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02817.html
-	NOTE: PVRDMA support not enabled.
+	NOTE: PVRDMA support not enabled until 1:3.1+dfsg-3.
 CVE-2018-20145 (Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option ...)
 	- mosquitto 1.5.5-1
 	[stretch] - mosquitto <not-affected> (Only affects 1.5.x)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6121b0bc3c5c075b10f2bde6b4f8adae258aaea2

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6121b0bc3c5c075b10f2bde6b4f8adae258aaea2
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190206/afb43053/attachment.html>

More information about the debian-security-tracker-commits mailing list