[Git][security-tracker-team/security-tracker][master] Reserve DLA-2560-1 for qemu

Sylvain Beucler beuc at debian.org
Tue Feb 16 17:00:30 GMT 2021 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f5c67140 by Sylvain Beucler at 2021-02-16T17:59:42+01:00
Reserve DLA-2560-1 for qemu

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -20906,7 +20906,6 @@ CVE-2020-29444
 CVE-2020-29443 (ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of- ...)
 	- qemu <unfixed>
 	[buster] - qemu <postponed> (Fix along in future DSA)
-	[stretch] - qemu <postponed> (Fix along in future DLA)
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg04255.html
 	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=813212288970c39b1800f63e83ac6e96588095c6
 	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=b8d7f1bc59276fec85e4d09f1567613a3e14d31e
@@ -21596,7 +21595,6 @@ CVE-2020-29130 (slirp.c in libslirp through 4.3.1 has a buffer over-read because
 	- libslirp 4.4.0-1
 	- qemu 1:4.1-2
 	[buster] - qemu <postponed> (Fix along in future DSA)
-	[stretch] - qemu <postponed> (Fix along in future DLA, when fixed upstream)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f (v4.4.0)
 	NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed.
 CVE-2020-29129 (ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tri ...)
@@ -22124,7 +22122,6 @@ CVE-2020-28917 (An issue was discovered in the view_statistics (aka View fronten
 CVE-2020-28916 (hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX desc ...)
 	- qemu 1:5.2+dfsg-1 (bug #976388; bug #974687)
 	[buster] - qemu <postponed> (Fix along in future DSA)
-	[stretch] - qemu <postponed> (Fix along in future DLA)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/12/01/2
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg03185.html
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1893895 (duplicate)
@@ -34462,7 +34459,6 @@ CVE-2020-25085 (QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_con
 CVE-2020-25084 (QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_p ...)
 	- qemu 1:5.2+dfsg-1 (bug #970539)
 	[buster] - qemu <postponed> (Can be fixed along in next qemu DSA)
-	[stretch] - qemu <postponed> (Fix along in future DLA)
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-08/msg08050.html
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-08/msg08043.html
 	NOTE: https://www.openwall.com/lists/oss-security/2020/09/16/5
@@ -53673,7 +53669,6 @@ CVE-2020-15860 (Parallels Remote Application Server (RAS) 17.1.1 has a Business
 CVE-2020-15859 (QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a gues ...)
 	- qemu 1:5.2+dfsg-1 (bug #965978)
 	[buster] - qemu <postponed> (Minor issue, can be fixed along in next DSA)
-	[stretch] - qemu <postponed> (Minor issue, can be fixed along in next DLA)
 	NOTE: Proposed patch: https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg05895.html
 	NOTE: https://bugs.launchpad.net/qemu/+bug/1886362
 	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=22dc8663d9fc7baa22100544c600b6285a63c7a3
@@ -54787,7 +54782,6 @@ CVE-2020-15470 (ffjpeg through 2020-02-24 has a heap-based buffer overflow in jf
 CVE-2020-15469 (In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback m ...)
 	- qemu <unfixed> (low; bug #970253)
 	[buster] - qemu <postponed> (Minor issue, fix along in next DSA)
-	[stretch] - qemu <postponed> (Minor issue, fix along in next DSA)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/07/02/1
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg09961.html
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00674.html


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[16 Feb 2021] DLA-2560-1 qemu - security update
+	{CVE-2020-15469 CVE-2020-15859 CVE-2020-25084 CVE-2020-28916 CVE-2020-29130 CVE-2020-29443 CVE-2021-20181 CVE-2021-20221}
+	[stretch] - qemu 1:2.8+dfsg-6+deb9u13
 [15 Feb 2021] DLA-2559-1 busybox - security update
 	{CVE-2011-5325 CVE-2015-9261 CVE-2016-2147 CVE-2016-2148 CVE-2017-15873 CVE-2017-16544 CVE-2018-1000517}
 	[stretch] - busybox 1:1.22.0-19+deb9u1


=====================================
data/dla-needed.txt
=====================================
@@ -79,9 +79,6 @@ php-pear
 --
 python-pysaml2 (Abhijith PA)
 --
-qemu (Sylvain Beucler)
-  NOTE: 20210212: packages prepared, currently testing
---
 ruby-actionpack-page-caching
   NOTE: 20200819: Upstream's patch on does not apply due to subsequent
   NOTE: 20200819: refactoring. However, a quick look at the private



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5c67140eb2e4828199538262896741d5ffc2f07

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5c67140eb2e4828199538262896741d5ffc2f07
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210216/9f814cb3/attachment.html>

More information about the debian-security-tracker-commits mailing list