[Git][security-tracker-team/security-tracker][master] Reserve DLA-2970-1 for qemu

Mon Apr 4 13:53:29 BST 2022


Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
62dc4544 by Emilio Pozuelo Monfort at 2022-04-04T14:53:10+02:00
Reserve DLA-2970-1 for qemu

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -29077,7 +29077,6 @@ CVE-2021-3930 (An off-by-one error was found in the SCSI device emulation in QEM
 	- qemu 1:6.2+dfsg-1
 	[bullseye] - qemu <postponed> (Minor issue)
 	[buster] - qemu <postponed> (Minor issue)
-	[stretch] - qemu <postponed> (Fix along with a future DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020588
 	NOTE: https://gitlab.com/qemu-project/qemu/-/issues/546
 	NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 (v6.2.0-rc0)
@@ -39002,7 +39001,6 @@ CVE-2021-3749 (axios is vulnerable to Inefficient Regular Expression Complexity
 CVE-2021-3748 (A use-after-free vulnerability was found in the virtio-net device of Q ...)
 	{DSA-4980-1}
 	- qemu 1:6.1+dfsg-6 (bug #993401)
-	[stretch] - qemu <postponed> (Fix along with a future DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1998514
 	NOTE: When fixing this issue make sure to not open CVE-2022-26353
 CVE-2021-40319
@@ -53039,7 +53037,6 @@ CVE-2021-3593 (An invalid pointer initialization issue was found in the SLiRP ne
 	[bullseye] - libslirp 4.4.0-1+deb11u2
 	- qemu 1:4.1-2
 	[buster] - qemu <no-dsa> (Minor issue)
-	[stretch] - qemu <no-dsa> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/de71c15de66ba9350bf62c45b05f8fbff166517b (v4.6.0)
 	NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed.
@@ -90724,7 +90721,6 @@ CVE-2021-20196 (A NULL pointer dereference flaw was found in the floppy disk emu
 	- qemu 1:6.2+dfsg-1 (bug #984453)
 	[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[buster] - qemu <postponed> (Fix along in future DSA)
-	[stretch] - qemu <postponed> (Fix along in future DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1919210
 	NOTE: https://bugs.launchpad.net/qemu/+bug/1912780
 	NOTE: https://gitlab.com/qemu-project/qemu/-/issues/338


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[04 Apr 2022] DLA-2970-1 qemu - security update
+	{CVE-2021-3593 CVE-2021-3748 CVE-2021-3930 CVE-2021-20196 CVE-2022-26354}
+	[stretch] - qemu 1:2.8+dfsg-6+deb9u17
 [03 Apr 2022] DLA-2969-1 asterisk - security update
 	{CVE-2019-13161 CVE-2019-18610 CVE-2019-18790 CVE-2019-18976 CVE-2020-28242}
 	[stretch] - asterisk 1:13.14.1~dfsg-2+deb9u6


=====================================
data/dla-needed.txt
=====================================
@@ -120,10 +120,6 @@ pdns
 puppet-module-puppetlabs-firewall
   NOTE: 20220402: no Debian maintainers activity since 2018 (Beuc)
 --
-qemu (Emilio)
-  NOTE: 20220320: Vulnerable function appears to be vhost_vsock_send_transport_reset.
-  NOTE: 20220320: Consider looking into postponed issues (apo)
---
 ring (Abhijith PA)
  NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc
  NOTE: 20220404: package in archive is faulty. New regs can't be done due (abhijith)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62dc4544fbfe0e2407e9727b93db1c90f04819fb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62dc4544fbfe0e2407e9727b93db1c90f04819fb
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220404/5a747d0d/attachment-0001.htm>
