[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1292{8,9}/qemu

Salvatore Bonaccorso carnil at debian.org
Mon Jul 1 21:18:04 BST 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5559c92f by Salvatore Bonaccorso at 2019-07-01T20:14:46Z
Add CVE-2019-1292{8,9}/qemu

Mark the issue as no-dsa, as "The QEMU machine protocol (QMP) should not
be exposed to unprivileged users, and is only intended for
administrative control of QEMU instances.". Given that there might be an
argument to actually mark those as <ignored> ore consider it at
negligible security impact. To be on safe side mark it for now only as
no-dsa.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -475,9 +475,21 @@ CVE-2019-12931
 CVE-2019-12930
 	RESERVED
 CVE-2019-12929 (The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS co ...)
-	TODO: check
+	- qemu <unfixed>
+	[buster] - qemu <no-dsa> (Minor issue)
+	[jessie] - qemu <no-dsa> (Minor issue)
+	- qemu-kvm <removed>
+	NOTE: https://fakhrizulkifli.github.io/posts/2019/06/06/CVE-2019-12929/
+	NOTE: The QEMU machine protocol (QMP) should not be exposed to unprivileged users,
+	NOTE: and is only intended for administrative control of QEMU instances.
 CVE-2019-12928 (The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerabl ...)
-	TODO: check
+	- qemu <unfixed>
+	[buster] - qemu <no-dsa> (Minor issue)
+	[jessie] - qemu <no-dsa> (Minor issue)
+	- qemu-kvm <removed>
+	NOTE: https://fakhrizulkifli.github.io/posts/2019/06/05/CVE-2019-12928/
+	NOTE: The QEMU machine protocol (QMP) should not be exposed to unprivileged users,
+	NOTE: and is only intended for administrative control of QEMU instances.
 CVE-2019-12927
 	RESERVED
 CVE-2019-12926



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5559c92f2977146a521229efd97eb68de08a7eca

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5559c92f2977146a521229efd97eb68de08a7eca
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190701/49bcec52/attachment.html>

More information about the debian-security-tracker-commits mailing list