Debian Security Advisory

DSA-3991-1 qemu -- security update

Date Reported:
03 Oct 2017
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2017-9375, CVE-2017-12809, CVE-2017-13672, CVE-2017-13711, CVE-2017-14167.
More information:

Multiple vulnerabilities were found in qemu, a fast processor emulator:

  • CVE-2017-9375

    Denial of service via memory leak in USB XHCI emulation.

  • CVE-2017-12809

    Denial of service in the CDROM device drive emulation.

  • CVE-2017-13672

    Denial of service in VGA display emulation.

  • CVE-2017-13711

    Denial of service in SLIRP networking support.

  • CVE-2017-14167

    Incorrect validation of multiboot headers could result in the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in version 1:2.8+dfsg-6+deb9u3.

We recommend that you upgrade your qemu packages.