Debian Security Advisory

DLA-248-1 qemu -- LTS security update

Date Reported:
19 Jun 2015
Affected Packages:
qemu
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2015-3456.
More information:

A vulnerability was discovered in the qemu virtualisation solution:

  • CVE-2015-3456

    Jason Geffner discovered a buffer overflow in the emulated floppy disk drive, resulting in the potential execution of arbitrary code.

    Despite the end-of-life of qemu support in the old-oldstable distribution (squeeze-lts), this problem has been fixed in version 0.12.5+dfsg-3squeeze4 of the qemu source package due to its severity (the so-called VENOM vulnerability).

    Further problems may still be present in the qemu package in the old-oldstable distribution (squeeze-lts) and users who need to rely on qemu are encouraged to upgrade to a newer version of Debian.

    We recommend that you upgrade your qemu packages.