Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1124
qemu security update
10 May 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: qemu
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-3712 CVE-2016-3710
Reference: ESB-2016.1122
Original Bulletin:
http://www.debian.org/security/2016/dsa-3573
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3573-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 09, 2016 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : qemu
CVE ID : CVE-2016-3710 CVE-2016-3712
Debian Bug : 823830
Several vulnerabilities were discovered in qemu, a fast processor
emulator.
CVE-2016-3710
Wei Xiao and Qinghao Tang of 360.cn Inc discovered an out-of-bounds
read and write flaw in the QEMU VGA module. A privileged guest user
could use this flaw to execute arbitrary code on the host with the
privileges of the hosting QEMU process.
CVE-2016-3712
Zuozhi Fzz of Alibaba Inc discovered potential integer overflow
or out-of-bounds read access issues in the QEMU VGA module. A
privileged guest user could use this flaw to mount a denial of
service (QEMU process crash).
For the stable distribution (jessie), these problems have been fixed in
version 1:2.1+dfsg-12+deb8u6.
We recommend that you upgrade your qemu packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXMPFjAAoJEAVMuPMTQ89EQQ4P/jxdTbcjsT91JzI6wfy9gSxh
sgmOrGDY89DrKq62RyckzOgN2E8s32ecmYhAFEx6LtUZW/H1L8syqHLvhbDh0tVh
N4GOpg7ZmdUAG1xwKJEaWFNfqsQ8yDN/fvVb5J+2oRcAMrVCuxlyEg3CsBowpuF3
7laW65XZjt/b/jpMhzcoc9O6+T54VYDCd8P279Tk/f0B3H4P0zMKJdtgvYRizS+A
oeD4NKzzgVov5zg+VHu78w2wR2Oi9cRYjNqXszTywpuiv5rvMfeidT4xssN5VMMR
2d2/vFm7DMZeDMXfG+R9VsWH3Y/OQ5SzDZpvu+/DFlN7uYWYjvxQq4MsDuXrkg60
bU0c5EDbqy40x/IZ9BnnCUJJ8P+OcXU2m5Z9q3BPPcmWf106jDZxHs3mhXJg6IoC
k+SEBN73gEOF2wHS/52A0lDa8yCaedzGMbz2gni7+6CjtW9mweEzGUnMv8w0AHb0
/M86FpsYtT9f3OMfbPx1gX3DA4ORYnP1reBc5NHBVgbcR/tEPGNR7f6bkP3EnD/K
S74j7JAxuQfbPsK2fNo5cgo4Slr+o6jEtVmwmvTGi6q+LbWULfTnrnERSyr9oFbx
JuVAGM8Mk+KmOwXh1ChwwxdiDvNEfBH7bEe6PsuQL0x8m2X1IDtWVfejUTW+izz1
L6AMYZU8Rme0+ju43eId
=Hmh5
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVzE3vH6ZAP0PgtI9AQKS4w//Z95NwAtyB926V9Jovcqlt5Hoho5gK8Y7
D3kPM3Thw1q8nMR6nYpOGAB1DP3yTC0RdseV993+zLylkS/RwIHEf+YJijEjAnUW
zwxH4CPTTzWWeVMgewF+OSLXPI+FHkfteJnqipFOtLjajGq2YsvhAQgc7mwmdmBu
/e6NwaZZ9mfd7vs+q14seSmM1fNcF37UHQkFyW+NQeDMze9sFXiS8NOk7MyNtYZV
v50wKO5WnDy+24+UHHpJQprT4qRDwT0GLBP6EE7kNgVC6fKhHUx5foI3Iji10QzE
lxVDD2nQzBw6UwqG8Rvfre9YMkXbkQqqF/Jhhz7+Xt7/nEy2Rba0nG4+Q2dYiim7
rUr6ClbPsSDG3vpbNz6tkGADAojXKMrt7paST4W8lPgW9Up8ijoGqsCcYOqme+Cd
u4RmLWwaNB4twSlXpudhWyIjbnP4B8xz3wHTJhrMC/o/jdMIVFmZ6jJD+qRf0THK
nFsAvjdUW9MqZySRVTl8mE72V8oFH1e73UH91JhgUfSeSxnccP/sSww2f8bry5tK
w/c+7YWN3FWfUvwnAMXNiIDiuzbMRxJxTo75u+CkNvedn5U+1S4Zngo4o6dEHarW
eqnWhXsxEGzTCJq2G7HDzREmhdmETeN+FAyz6AlRtqRgNVERySl7nnZouTFimy9a
0wavkluuV4k=
=3ScE
-----END PGP SIGNATURE-----