Debian has released security update for qemu package.
This release fixes 12 vulnerabilities against qemu package.
Issue Reported On: N/A
Fix Released On: 30-May-2019
Severity Level: Critical
Affected Packages: qemu
Affected Operating System & Version:
- Debian 8 (Jessie)
- Debian 9 (Stretch)
Details:
Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service, the execution of arbitrary code or information disclosure.
In addition this update backports support to passthrough the new md-clear CPU flag added in the intel-microcode update shipped in DSA 4447 to x86-based guests.
It’s recommended to update the qemu package ASAP.
For more details about the security issues, and other related information, refer to the CVE pages.
Debian Security Advisory References:
Security Database References (CVE):
- CVE-2018-11806
- CVE-2018-12617
- CVE-2018-16872
- CVE-2018-17958
- CVE-2018-18849
- CVE-2018-18954
- CVE-2018-19364
- CVE-2018-19489
- CVE-2019-3812
- CVE-2019-6778
- CVE-2019-9824
- CVE-2019-12155
Solution:
- These issue have been fixed on Debian 9 (Stretch) in version 1:2.8+dfsg-6+deb9u7.
- These issue have been fixed on Debian 8 (Jessie) in version 1:2.1+dfsg-12+deb8u11.
Run the following command to install the above updates.
$ sudo apt install --only-upgrade qemu or $ sudo apt-install unattended-upgrades
The installed security fixes can be verified in the package change log using the following methods.
Using manual method.
$ zgrep -i "CVE-2018-11806\|CVE-2018-12617\|CVE-2018-16872\|CVE-2018-17958\|CVE-2018-18849\|CVE-2018-18954\|CVE-2018-19364\|CVE-2018-19489\|CVE-2019-3812\|CVE-2019-6778\|CVE-2019-9824\|CVE-2019-12155" /usr/share/doc/evolution/changelog.Debian.gz
Using debsecan command.
$ debsecan | grep qemu
