Debian Bug report logs -
#869706
qemu: CVE-2017-10911
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 25 Jul 2017 19:48:02 UTC
Severity: serious
Tags: security, upstream
Found in version qemu/1:2.8+dfsg-6
Fixed in versions qemu/1:2.8+dfsg-7, qemu/1:2.8+dfsg-6+deb9u1, 1:2.8+dfsg-6+deb9u1
Done: Michael Tokarev <mjt@tls.msk.ru>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
:
Bug#869706
; Package src:qemu
.
(Tue, 25 Jul 2017 19:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
.
(Tue, 25 Jul 2017 19:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: qemu
Version: 1:2.8+dfsg-6
Severity: important
Tags: security upstream
Control: fixed -1 1:2.8+dfsg-6+deb9u1
Hi,
the following vulnerability was published for qemu.
CVE-2017-10911[0]:
| The make_response function in drivers/block/xen-blkback/blkback.c in
| the Linux kernel before 4.11.8 allows guest OS users to obtain
| sensitive information from host OS (or other guest OS) kernel memory by
| leveraging the copying of uninitialized padding fields in Xen
| block-interface response structures, aka XSA-216.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-10911
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10911
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as fixed in versions qemu/1:2.8+dfsg-6+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Tue, 25 Jul 2017 19:48:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
:
Bug#869706
; Package src:qemu
.
(Thu, 27 Jul 2017 09:45:22 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
.
(Thu, 27 Jul 2017 09:45:22 GMT) (full text, mbox, link).
Message #12 received at 869706@bugs.debian.org (full text, mbox, reply):
severity 863840 serious
severity 863943 serious
severity 864216 serious
severity 864219 serious
severity 864568 serious
severity 866674 serious
severity 865755 serious
severity 869706 serious
thanks
Hi Michael,
I'm raising the severity to RC for those bugs which were addressed in
stable but not yet in unstable, since that means a regression in
security fixes. I know it's just pro-forma, since at some point a
newer update of qemu will include those and likely to be fixed in time
for buster :)
Regards,
Salvatore
Severity set to 'serious' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 27 Jul 2017 09:45:28 GMT) (full text, mbox, link).
Marked as fixed in versions qemu/1:2.8+dfsg-7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 05 Aug 2017 14:00:08 GMT) (full text, mbox, link).
Reply sent
to Michael Tokarev <mjt@tls.msk.ru>
:
You have taken responsibility.
(Sun, 24 Sep 2017 10:33:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 24 Sep 2017 10:33:04 GMT) (full text, mbox, link).
Message #21 received at 869706-done@bugs.debian.org (full text, mbox, reply):
Version: 1:2.8+dfsg-6+deb9u1
Somehow this bug hasn't been closed. Do it now.
/mjt
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 05 Nov 2017 07:25:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:43:26 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.