Opened 6 years ago

Closed 6 years ago

#6952 closed enhancement (fixed)

qemu-2.4.0.1 (QEMU 2.4.0.1 CVE update released)

Reported by: Fernando de Oliveira Owned by: ken@…
Priority: high Milestone: 7.8
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

http://wiki.qemu.org/download/qemu-2.4.0.1.tar.bz2

http://wiki.qemu.org/download/qemu-2.4.0.1.tar.bz2.sig

https://lists.nongnu.org/archive/html/qemu-devel/2015-09/msg05832.html

This is a security release.

CVE-only releases will be regular releases for security (CVE-only) fixes.

qemu-devel

[Qemu-devel] [ANNOUNCE] QEMU 2.4.0.1 CVE update released
From: 	Michael Roth
Subject: 	[Qemu-devel] [ANNOUNCE] QEMU 2.4.0.1 CVE update released
Date: 	Tue, 22 Sep 2015 18:36:23 -0500

Hi everyone,

As part of recent planning around stable releases discussed during
KVM Forum, I'm releasing the first of what will be regular (hopefully
not *too* regular) CVE-only stable updates. These updates are
intended to reduce the gap between vulnerability disclosures and
patched/packaged releases.

Please see the changelog for CVE numbers/details. Users are
encouraged to update as soon as possible.

v2.4.0.1 is now tagged in the official qemu.git repository,
and the stable-2.4 branch has been updated accordingly:

  http://git.qemu.org/?p=qemu.git;a=shortlog;h=refs/heads/stable-2.4

These CVE-only releases are produced as-needed and are on no set
release schedule.

Full stable releases are still tentatively planned to continue as they
(mostly) have in the past: 1 mid-cycle stable update, and 1 stable update
at the end of each release cycle, with freeze dates announced in advance
to pull together important fixes. v2.4.1 is currently planned for
2015-10-20:

  http://wiki.qemu.org/Planning/2.4

Thank you to everyone involved!

CHANGELOG:

 • 83c92b4: Update version for 2.4.0.1 release (Michael Roth)
 • 5a1ccdf: net: avoid infinite loop when receiving
   packets(CVE-2015-5278) (P J P)
 • 7aa2bca: net: add checks to validate ring buffer
   pointers(CVE-2015-5279) (P J P)
 • 3a56af1: e1000: Avoid infinite loop in processing transmit descriptor 
 • (CVE-2015-6815) (P J P)
 • efec4dc: vnc: fix memory corruption (CVE-2015-5225) (Gerd Hoffmann)

Change History (2)

comment:1 by ken@…, 6 years ago

Owner: changed from blfs-book@… to ken@…
Status: newassigned

comment:2 by ken@…, 6 years ago

Resolution: fixed
Status: assignedclosed

Done at r16459.

Note: See TracTickets for help on using tickets.