Debian has Released Critical Security Update for qemu

Debian has released security update for qemu package.

This release fixes 12 vulnerabilities against qemu package.

Issue Reported On: N/A

Fix Released On: 30-May-2019

Severity Level: Critical

Affected Packages: qemu

Affected Operating System & Version:

  • Debian 8 (Jessie)
  • Debian 9 (Stretch)

Details:

Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service, the execution of arbitrary code or information disclosure.

In addition this update backports support to passthrough the new md-clear CPU flag added in the intel-microcode update shipped in DSA 4447 to x86-based guests.

It’s recommended to update the qemu package ASAP.

For more details about the security issues, and other related information, refer to the CVE pages.

Debian Security Advisory References:

Security Database References (CVE):

Solution:

  • These issue have been fixed on Debian 9 (Stretch) in version 1:2.8+dfsg-6+deb9u7.
  • These issue have been fixed on Debian 8 (Jessie) in version 1:2.1+dfsg-12+deb8u11.

Run the following command to install the above updates.

$ sudo apt install --only-upgrade qemu
or
$ sudo apt-install unattended-upgrades

The installed security fixes can be verified in the package change log using the following methods.

Using manual method.

$ zgrep -i "CVE-2018-11806\|CVE-2018-12617\|CVE-2018-16872\|CVE-2018-17958\|CVE-2018-18849\|CVE-2018-18954\|CVE-2018-19364\|CVE-2018-19489\|CVE-2019-3812\|CVE-2019-6778\|CVE-2019-9824\|CVE-2019-12155" /usr/share/doc/evolution/changelog.Debian.gz

Using debsecan command.

$ debsecan | grep qemu

Leave a Reply

Your email address will not be published. Required fields are marked *