[Git][security-tracker-team/security-tracker][master] CVE-2023-1544: Add note on disabled pvrdma support

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sat Mar 9 20:08:33 GMT 2024 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cd278b57 by Salvatore Bonaccorso at 2024-03-09T20:58:55+01:00
CVE-2023-1544: Add note on disabled pvrdma support

Technically marking it as fixed with 1:8.0.2+dfsg-1 was just a
mitigation but not a fix on source-level. So not touching the fixed
version for now back to the original value. But add at same time a note
why we considered it fixed with 1:8.0.2+dfsg-1.

The bullseye version in fact did not contain the upstream fixing commit
and seems to have --disable-pvrdma only for the microvm case.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -58315,7 +58315,10 @@ CVE-2023-1544 (A flaw was found in the QEMU implementation of VMWare's paravirtu
 	[buster] - qemu <no-dsa> (Minor issue)
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html
 	NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c7320d1641d344d0c5dfbe341d087 (v8.2.0-rc0)
-	NOTE: Not fixed in 1:5.2+dfsg-11+deb11u3 as claimed in the changelog, contains the CVE-2022-1050 fix instead.
+	NOTE: Not fixed in 1:5.2+dfsg-11+deb11u3 as claimed in the changelog, contains the
+	NOTE: CVE-2022-1050 fix instead. In unstable 1:8.0.2+dfsg-1 disabled support for
+	NOTE: pvrdma (addressing/mitigating) CVE-2023-1544. Sourcewise fixed in v8.2.0
+	NOTE: upstream.
 CVE-2023-28686 (Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows a ...)
 	{DSA-5379-1}
 	- dino-im 0.4.2-1 (bug #1033370)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd278b57c92433404691097708a5dd2213211344

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd278b57c92433404691097708a5dd2213211344
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240309/4d6e83bf/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list