[Git][security-tracker-team/security-tracker][master] Concluded that qemu update is not necessary for strech. CVE-2021-3607, 3608...
Ola Lundqvist (@opal)
opal at debian.org
Mon Jun 21 21:47:42 BST 2021
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker
Commits:
937faf5c by Ola Lundqvist at 2021-06-21T22:47:24+02:00
Concluded that qemu update is not necessary for strech. CVE-2021-3607, 3608 and CVE-2021-3582 not affected since the vulnerable code is introduced in some later version of the product. CVE-2021-3592 are marked as no-dsa for strech just as for buster.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -508,11 +508,13 @@ CVE-2021-34827
CVE-2021-3608 [pvrdma: uninitialized memory unmap in pvrdma_ring_init()]
RESERVED
- qemu <unfixed>
+ [stretch] - qemu <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973383
TODO: check details, upstream report
CVE-2021-3607 [pvrdma: unchecked malloc size due to integer overflow in init_dev_ring()]
RESERVED
- qemu <unfixed>
+ [stretch] - qemu <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973349
TODO: check details, upstream report
CVE-2021-3606
@@ -1112,6 +1114,7 @@ CVE-2021-3595 (An invalid pointer initialization issue was found in the SLiRP ne
- libslirp <unfixed> (bug #989996)
- qemu 1:4.1-2
[buster] - qemu <no-dsa> (Minor issue)
+ [stretch] - qemu <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3f17948137155f025f7809fdc38576d5d2451c3d (v4.6.0)
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/990163cf3ac86b7875559f49602c4d76f46f6f30 (v4.6.0)
@@ -1120,6 +1123,7 @@ CVE-2021-3594 (An invalid pointer initialization issue was found in the SLiRP ne
- libslirp <unfixed> (bug #989995)
- qemu 1:4.1-2
[buster] - qemu <no-dsa> (Minor issue)
+ [stretch] - qemu <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/74572be49247c8c5feae7c6e0b50c4f569ca9824 (v4.6.0)
NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed.
@@ -1127,6 +1131,7 @@ CVE-2021-3593 (An invalid pointer initialization issue was found in the SLiRP ne
- libslirp <unfixed> (bug #989994)
- qemu 1:4.1-2
[buster] - qemu <no-dsa> (Minor issue)
+ [stretch] - qemu <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/de71c15de66ba9350bf62c45b05f8fbff166517b (v4.6.0)
NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed.
@@ -1134,6 +1139,7 @@ CVE-2021-3592 (An invalid pointer initialization issue was found in the SLiRP ne
- libslirp <unfixed> (bug #989993)
- qemu 1:4.1-2
[buster] - qemu <no-dsa> (Minor issue)
+ [stretch] - qemu <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f13cad45b25d92760bb0ad67bec0300a4d7d5275 (v4.6.0)
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2eca0838eee1da96204545e22cdaed860d9d7c6c (v4.6.0)
@@ -2530,6 +2536,7 @@ CVE-2021-3587 [nfc: fix NULL ptr dereference in llcp_sock_getname() after failed
CVE-2021-3582 [hw/rdma: Fix possible mremap overflow in the pvrdma device]
RESERVED
- qemu <unfixed>
+ [stretch] - qemu <not-affected> (Vulnerable code introduced later)
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-06/msg04148.html
TODO: check
CVE-2021-33907
=====================================
data/dla-needed.txt
=====================================
@@ -80,8 +80,6 @@ python-babel
NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch (abhijith)
NOTE: 20210620: Revisit when it have an assigned CVE Id. (abhijith)
--
-qemu
---
rabbitmq-server (Abhijith PA)
--
ruby-actionpack-page-caching
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/937faf5c4fc0d2baf7f387d47796c93683c00183
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/937faf5c4fc0d2baf7f387d47796c93683c00183
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210621/f03a0a8e/attachment.htm>
More information about the debian-security-tracker-commits
mailing list