Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-249-1 qemu-kvm

Debian Security Advisory

DLA-249-1 qemu-kvm -- LTS security update

Date Reported:

19 Jun 2015

Affected Packages:

qemu-kvm

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-3456.

More information:

A vulnerability was discovered in the qemu virtualisation solution:

• CVE-2015-3456

  Jason Geffner discovered a buffer overflow in the emulated floppy disk drive, resulting in the potential execution of arbitrary code.

  Despite the end-of-life of qemu-kvm support in the old-oldstable distribution (squeeze-lts), this problem has been fixed in version 0.12.5+dfsg-5+squeeze11 of the qemu-kvm source package due to its severity (the so-called VENOM vulnerability).

  Further problems may still be present in the qemu-kvm package in the old-oldstable distribution (squeeze-lts) and users who need to rely on qemu-kvm are encouraged to upgrade to a newer version of Debian.

  We recommend that you upgrade your qemu-kvm packages.