RedHat has issued an advisory today (May 13); https://rhn.redhat.com/errata/RHSA-2015-0999.html The press has already caught wind of this issue, for example here: http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/ Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated qemu packages fix security vulnerability: An out-of-bounds memory access flaw was found in the way QEMU's virtual Floppy Disk Controller (FDC) handled FIFO buffer access while processing certain FDC commands. A privileged guest user could use this flaw to crash the guest or, potentially, execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest (CVE-2015-3456). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456 https://rhn.redhat.com/errata/RHSA-2015-0999.html ======================== Updated packages in core/updates_testing: ======================== qemu-1.6.2-1.10.mga4 qemu-img-1.6.2-1.10.mga4 from qemu-1.6.2-1.10.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=13096#c34 https://bugs.mageia.org/show_bug.cgi?id=6694#c3
Whiteboard: (none) => has_procedure
Testing complete mga4 32 and 64 https://bugs.mageia.org/show_bug.cgi?id=13096#c34
Whiteboard: has_procedure => has_procedure mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0220.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/644256/