Debian Security Advisory
DSA-3349-1 qemu-kvm -- security update
- Date Reported:
- 02 Sep 2015
- Affected Packages:
- qemu-kvm
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2015-5165, CVE-2015-5745.
- More information:
-
Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware.
- CVE-2015-5165
Donghai Zhu discovered that the QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation, allowing a malicious guest to read uninitialized memory from the QEMU process's heap.
- CVE-2015-5745
A buffer overflow vulnerability was discovered in the way QEMU handles the virtio-serial device. A malicious guest could use this flaw to mount a denial of service (QEMU process crash).
For the oldstable distribution (wheezy), these problems have been fixed in version 1.1.2+dfsg-6+deb7u9.
We recommend that you upgrade your qemu-kvm packages.
- CVE-2015-5165