Debian Bug report logs -
#886532
Coming updates for meltdown/spectre
Reported by: Nigel Kukard <nkukard@lbsd.net>
Date: Sun, 7 Jan 2018 12:15:02 UTC
Severity: grave
Found in version qemu/1:2.1+dfsg-11
Fixed in versions qemu/1:2.12~rc3+dfsg-1, qemu/1:2.8+dfsg-6+deb9u4
Done: Michael Tokarev <mjt@tls.msk.ru>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#886532; Package qemu.
(Sun, 07 Jan 2018 12:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Nigel Kukard <nkukard@lbsd.net>:
New Bug report received and forwarded. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Sun, 07 Jan 2018 12:15:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: qemu
Severity: grave
Is it going to be possible to include this patch in qemu please?
https://lists.nongnu.org/archive/html/qemu-devel/2018-01/msg00811.html
ref: https://www.qemu.org/2018/01/04/spectre/
-N
Marked as found in versions qemu/1:2.1+dfsg-11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 07 Jan 2018 12:27:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#886532; Package qemu.
(Wed, 14 Mar 2018 18:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Laurent Bigonville <bigon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Wed, 14 Mar 2018 18:51:06 GMT) (full text, mbox, link).
Message #12 received at 886532@bugs.debian.org (full text, mbox, reply):
On Sun, 7 Jan 2018 12:11:17 +0000 Nigel Kukard <nkukard@lbsd.net> wrote:
>
> Is it going to be possible to include this patch in qemu please?
>
> https://lists.nongnu.org/archive/html/qemu-devel/2018-01/msg00811.html
>
>
> ref: https://www.qemu.org/2018/01/04/spectre/
>
FTR this seems to be part of 2.11.1, would be nice to be fixed in
unstable at least
I don't know if there are backports for this patch for the 2.8 branch
used in stable
Added tag(s) pending.
Request was from <mjt@tls.msk.ru>
to control@bugs.debian.org.
(Sun, 01 Apr 2018 13:00:05 GMT) (full text, mbox, link).
Reply sent
to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility.
(Thu, 12 Apr 2018 17:09:35 GMT) (full text, mbox, link).
Notification sent
to Nigel Kukard <nkukard@lbsd.net>:
Bug acknowledged by developer.
(Thu, 12 Apr 2018 17:09:35 GMT) (full text, mbox, link).
Message #19 received at 886532-close@bugs.debian.org (full text, mbox, reply):
Source: qemu
Source-Version: 1:2.12~rc3+dfsg-1
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 886532@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 12 Apr 2018 19:04:03 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:2.12~rc3+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
qemu - fast processor emulator, dummy package
qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
qemu-guest-agent - Guest-side qemu-system agent
qemu-kvm - QEMU Full virtualization on x86 hardware
qemu-system - QEMU full system emulation binaries
qemu-system-arm - QEMU full system emulation binaries (arm)
qemu-system-common - QEMU full system emulation binaries (common files)
qemu-system-mips - QEMU full system emulation binaries (mips)
qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
qemu-system-ppc - QEMU full system emulation binaries (ppc)
qemu-system-sparc - QEMU full system emulation binaries (sparc)
qemu-system-x86 - QEMU full system emulation binaries (x86)
qemu-user - QEMU user mode emulation binaries
qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
qemu-user-static - QEMU user mode emulation binaries (static version)
qemu-utils - QEMU utilities
Closes: 839695 851694 854959 860822 868030 872098 879193 879532 879534 879536 882136 884806 886532 886671 887207 887392 887892 891261 891375 892041 892497 892947 893767 894852
Changes:
qemu (1:2.12~rc3+dfsg-1) unstable; urgency=medium
.
* new upstream 2.12 release (Release Candidate 3)
Closes: #892041, CVE-2018-7550
Closes: #884806, CVE-2017-15124
Closes: #887392, CVE-2018-5683
Closes: #892497, CVE-2018-7858
Closes: #882136, CVE-2017-16845
Closes: #886532, #892947, #891375, #887892, #860822, #851694
* refresh local debian patches
* d/rules: enable new system (hppa riscv32 riscv64) and
user (aarch64_be xtensa xtensaeb riskc32 riscv64) targets
Closes: #893767
* fix d/source/options to match current reality
* drop use-data-path.patch, upstream now has --firmwarepath= option
* enable capstone disassembler library support
(build-depend on libcapstone-dev)
* debian/extract-config-opts: use tab for option / condition separator
* qemu-block-extra: install only block modules
* make `qemu' metapackage to be dummy, to remove it in a future release
* do not suggest kmod, it is pointless
* install /usr/bin/qemu-pr-helper to qemu-utils package
* switch from sdl2 to gtk ui
Closes: #839695, #886671, #879536, #879534, #879532, #879193, #894852
* qemu-system-ppc: forgotten qemu-system-ppc64le.1 link
* mention closing of #880582 by 2.11
* package will built against spice 0.14, so Closes: #854959
* check sfdisk presence in qemu-make-debian-root (Closes: #872098)
* check mke2fs presence in qemu-make-debian-root (Closes: #887207)
* debian/binfmt-update-in: include forgotten hppa (Closes: #891261)
* debian/TODO: removed some old ToDo items
* use binfmt-support --fix-binary option (Closes: #868030)
Checksums-Sha1:
f77a07f3b320534b49e44a492aa93ffe2d4597d3 5735 qemu_2.12~rc3+dfsg-1.dsc
b1767b8dcc008005324701715d7c1a7417f07269 8162584 qemu_2.12~rc3+dfsg.orig.tar.xz
efd0f0bbba4c380fca866f84c541e0ae81a19f0b 70040 qemu_2.12~rc3+dfsg-1.debian.tar.xz
1903f5c923fd5ac881d197f0e0d0124b174f2589 15374 qemu_2.12~rc3+dfsg-1_source.buildinfo
Checksums-Sha256:
a8f6ef1baf2ba84c9bf4523a27f8a5dc6c3aa1239dc30501e204449b32037bbf 5735 qemu_2.12~rc3+dfsg-1.dsc
c9c8180421ee1b4e5891b8d9019aa2167f536e8bbd7d6f0819720f33cff065c8 8162584 qemu_2.12~rc3+dfsg.orig.tar.xz
a716fe21f1ee0dec4b7b6cd38b43393ccec8fe2e23767da7f0219baf8cf1e4f1 70040 qemu_2.12~rc3+dfsg-1.debian.tar.xz
9843f987d3d475b50328423b94545853c346a64de754727b4ebe5b10b2448fd7 15374 qemu_2.12~rc3+dfsg-1_source.buildinfo
Files:
770e27784eb1fbd48ada9d01a1551078 5735 otherosfs optional qemu_2.12~rc3+dfsg-1.dsc
6d5676f84d4d4a6a12537b33b3267a34 8162584 otherosfs optional qemu_2.12~rc3+dfsg.orig.tar.xz
a1e214cf5f354f36e8b7ba194484e304 70040 otherosfs optional qemu_2.12~rc3+dfsg-1.debian.tar.xz
4ffdc270915edffe0e4ed012f739e4d8 15374 otherosfs optional qemu_2.12~rc3+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlrPjGQPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZkRsIALbmmqYA5S+H+TbHmj6EPAoxV+e7VawA9wL5
HtjsE3lNP05Qj+61TvCmDp7sqfoZJVGpoi9o8EoOJVwjOTJRiSzxxXRZTjvDgIIO
3yOHX1shy69zatdPrzpliJUrK9Rb92fw5Q75aIUO+OrMs/u4mYsmaOKIlZ1RXL6N
/AGcEzrAnkNpAioiceKOsv1Q9elTZlq44HCadBzZcRk9nEC3nc74fFexs8vtZsKv
mSov5xAsNff/UIZW2tYlqdRydyM8xH113dneZg7Y0jOHvw/qSgXu26p8Kzz7zFAU
JxYHx5gGH87HQcbXZlglYLdWJ+ZmkLsk7y3wHl2HP5WcFgR7yBw=
=YL4d
-----END PGP SIGNATURE-----
Reply sent
to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility.
(Sun, 03 Jun 2018 11:03:07 GMT) (full text, mbox, link).
Notification sent
to Nigel Kukard <nkukard@lbsd.net>:
Bug acknowledged by developer.
(Sun, 03 Jun 2018 11:03:07 GMT) (full text, mbox, link).
Message #24 received at 886532-close@bugs.debian.org (full text, mbox, reply):
Source: qemu
Source-Version: 1:2.8+dfsg-6+deb9u4
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 886532@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 26 May 2018 13:06:04 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:2.8+dfsg-6+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
qemu - fast processor emulator
qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
qemu-guest-agent - Guest-side qemu-system agent
qemu-kvm - QEMU Full virtualization on x86 hardware
qemu-system - QEMU full system emulation binaries
qemu-system-arm - QEMU full system emulation binaries (arm)
qemu-system-common - QEMU full system emulation binaries (common files)
qemu-system-mips - QEMU full system emulation binaries (mips)
qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
qemu-system-ppc - QEMU full system emulation binaries (ppc)
qemu-system-sparc - QEMU full system emulation binaries (sparc)
qemu-system-x86 - QEMU full system emulation binaries (x86)
qemu-user - QEMU user mode emulation binaries
qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
qemu-user-static - QEMU user mode emulation binaries (static version)
qemu-utils - QEMU utilities
Closes: 877890 880832 880836 882136 883399 883625 884806 886532 887392 892041
Changes:
qemu (1:2.8+dfsg-6+deb9u4) stretch-security; urgency=high
.
* CVE-2017-5715 (spectre/meltdown) fixes for i386 and s390x:
CVE-2017-5715/i386-increase-X86CPUDefinition-model_id-to-49.patch
CVE-2017-5715/i386-add-support-for-SPEC_CTRL-MSR.patch
CVE-2017-5715/i386-add-spec-ctrl-CPUID-bit.patch
CVE-2017-5715/i386-add-FEAT_8000_0008_EBX-CPUID-feature-word.patch
CVE-2017-5715/i386-add-new-IBRS-versions-of-Intel-CPU-models.patch
CVE-2017-5715/s390x-kvm-introduce-branch-prediction-blocking-contr.patch
CVE-2017-5715/s390x-kvm-handle-bpb-feature.patch
Closes: #886532, CVE-2017-5715
* multiboot-bss_end_addr-can-be-zero-CVE-2018-7550.patch
Closes: #892041, CVE-2018-7550
* vga-check-the-validation-of-memory-addr-when-draw-text-CVE-2018-5683.patch
Closes: #887392, CVE-2018-5683
* osdep-fix-ROUND_UP-64-bit-32-bit-CVE-2017-18043.patch
Closes: CVE-2017-18043
* virtio-check-VirtQueue-Vring-object-is-set-CVE-2017-17381.patch
Closes: #883625, CVE-2017-17381
* ps2-check-PS2Queue-pointers-in-post_load-routine-CVE-2017-16845.patch
Closes: #882136, CVE-2017-16845
* cirrus-fix-oob-access-in-mode4and5-write-functions-CVE-2017-15289.patch
Closes: #880832, CVE-2017-15289
* io-monitor-encoutput-buffer-size-from-websocket-GSource-CVE-2017-15268.patch
Closes: #880836, CVE-2017-15268
* nbd-server-CVE-2017-15119-Reject-options-larger-than-32M.patch
Closes: #883399, CVE-2017-15119
* 9pfs-use-g_malloc0-to-allocate-space-for-xattr-CVE-2017-15038.patch
Closes: #877890, CVE-2017-15038
* CVE-2017-15124 (VNC server unbounded memory usage) fixes:
CVE-2017-15124/01-ui-remove-sync-parameter-from-vnc_update_client.patch
CVE-2017-15124/02-ui-remove-unreachable-code-in-vnc_update_client.patch
CVE-2017-15124/03-ui-remove-redundant-indentation-in-vnc_client_update.patch
CVE-2017-15124/04-ui-avoid-pointless-VNC-updates-if-framebuffer-isn-t-.patch
CVE-2017-15124/05-ui-track-how-much-decoded-data-we-consumed-when-doin.patch
CVE-2017-15124/06-ui-introduce-enum-to-track-VNC-client-framebuffer-up.patch
CVE-2017-15124/07-ui-correctly-reset-framebuffer-update-state-after-pr.patch
CVE-2017-15124/08-ui-refactor-code-for-determining-if-an-update-should.patch
CVE-2017-15124/09-ui-fix-VNC-client-throttling-when-audio-capture-is-a.patch
CVE-2017-15124/10-ui-fix-VNC-client-throttling-when-forced-update-is-r.patch
CVE-2017-15124/11-ui-place-a-hard-cap-on-VNC-server-output-buffer-size.patch
CVE-2017-15124/12-ui-add-trace-events-related-to-VNC-client-throttling.patch
CVE-2017-15124/13-ui-mix-misleading-comments-return-types-of-VNC-I-O-h.patch
Closes: #884806, CVE-2017-15124
Checksums-Sha1:
3eaadd4404ea50f67274eb28d97037825a1b2869 5579 qemu_2.8+dfsg-6+deb9u4.dsc
ade882b6e42713bd6f4094c8eeb636a918dac5f9 151696 qemu_2.8+dfsg-6+deb9u4.debian.tar.xz
39ef066f758beadcbde371f43e60ffa095ddd247 11987 qemu_2.8+dfsg-6+deb9u4_source.buildinfo
Checksums-Sha256:
be323ab557fed1ae4f615c4c19e3ae7abe9b94f0281119721e019cbb5123f909 5579 qemu_2.8+dfsg-6+deb9u4.dsc
34b2b6da67ffa71f1e70d6d0f836aa27a840e767d2c3c7bc1734ae2814b52f94 151696 qemu_2.8+dfsg-6+deb9u4.debian.tar.xz
437b71b24b8da96278ffafb8a2a98887827b5e1706ecef207825059b4ba666b1 11987 qemu_2.8+dfsg-6+deb9u4_source.buildinfo
Files:
6e3771006299c70b45f37ad8c8c27605 5579 otherosfs optional qemu_2.8+dfsg-6+deb9u4.dsc
9654bc03a47e11d133ae87d1e0fdbe52 151696 otherosfs optional qemu_2.8+dfsg-6+deb9u4.debian.tar.xz
3b009fc18d489fad8c1a1623e669931a 11987 otherosfs optional qemu_2.8+dfsg-6+deb9u4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlsJMcwPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5Z3mUH/A8PPA4y5oHpa5wUQqpGyAWhhPMN+dmJkGnl
aygGdg05ggGbRM4wZW6KhlCGHXq6v42M9kufA3wvuQ9Db7UtjjeB6Rf47RgPr8f9
ZX3IZjSWFR0nmYofcxo6a+bzulKcKbOmO/BAj53p7j5R+qT/WyzXgHarHajfGD+B
oykXsqrwE6EiWn/yQxU9omKiOU2L56q8fFBjxak4dHMEDWGXDOpdOJ8/aVc0lFu4
6NA5Q62VKBdpk0JaLxxsn/tz/MWH2SiQMBUTV/yB2nx/ZJMzHFOqOFEfrzARzDGa
xp7fkkErWSkQiT7kklX3ZucZ44TwBG7bwJ9b/vsaj/7HzWpOIOY=
=Veds
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 05 Jun 2019 07:50:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:11:01 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon