QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system (for example a PC), including a processor and various peripherials. It can be used to launch different Operating Systems without rebooting the PC or to debug system code. * User mode emulation. In this mode, QEMU can launch Linux processes compiled for one CPU on another CPU. As QEMU requires no host kernel patches to run, it is safe and easy to use. -------------------------------------------------------------------------------- Update Information: * Fix xen pv graphical display failure (bz #1350264) * CVE-2016-8667: dma: divide by zero error in set_next_tick (bz #1384876) * CVE-2017-5579: serial: fix memory leak in serial exit (bz #1416161) -------------------------------------------------------------------------------- References: [ 1 ] Bug #1384874 - CVE-2016-8667 Qemu: hw: dma: divide by zero error in set_next_tick https://bugzilla.redhat.com/show_bug.cgi?id=1384874 [ 2 ] Bug #1416157 - CVE-2017-5579 Qemu: serial: host memory leakage 16550A UART emulation https://bugzilla.redhat.com/show_bug.cgi?id=1416157 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade qemu' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
CVE-2017-5579 is mentioned in bug #18489, comment #78 CVE-2016-8667 is mentioned in bug #18489, comment #65 @ David W. & Thierry Bug 18489 is only about Mageia 5, I guess it's better to keep a separate report for cauldron? The last time CVEs were mentioned in the cauldron qemu changelog, was on 2016-10-19, when (amongst others) CVE-2016-7466 CVE-2016-8576 and CVE-2016-7995 were fixed. Those CVEs were mentioned in bug #18489, comment #55 However, qemu-2.8.0 which we got on 2016-12-22, probably contained fixes for part of the security issues that got CVEs after 2016-10-19 I didn't manage to find a list of CVEs that were fixed by 2.8.0 Last Qemu versions upstream are 2.8.1.1 and 2.9.0, both released on Apr 20 2017 (2.9.0 is the unstable branch?) I don't manage to find which CVEs they fix, either :-/ @ all packagers collectively Please don't hesitate to offer to help fix qemu, if you can help!
QA Contact: (none) => securityComponent: RPM Packages => SecurityCC: (none) => marja11, pkg-bugsBlocks: (none) => 18489Source RPM: qemu => qemu-2.8.0-5.mga6
really assigning, now :-(
Assignee: bugsquad => thierry.vignaud
Already reported here with the hundreds of other qemu CVEs: https://bugs.mageia.org/show_bug.cgi?id=18489#c78 *** This bug has been marked as a duplicate of bug 18489 ***
Resolution: (none) => DUPLICATEBlocks: 18489 => (none)Status: NEW => RESOLVED