Debian 10235 Published by

A qemu security update has been released for Debian GNU/Linux 8 LTS to address several vulnerabilities in qemu.



DLA 2262-1: qemu security update



Package : qemu
Version : 1:2.1+dfsg-12+deb8u15
CVE ID : CVE-2020-1983 CVE-2020-13361 CVE-2020-13362 CVE-2020-13765
Debian Bug :

Several vulnerabilities were fixed in qemu,
a fast processor emulator.

CVE-2020-1983

slirp: Fix use-after-free in ip_reass().

CVE-2020-13361

es1370_transfer_audio in hw/audio/es1370.c
allowed guest OS users to trigger an out-of-bounds access
during an es1370_write() operation.

CVE-2020-13362

megasas_lookup_frame in hw/scsi/megasas.c had
an out-of-bounds read via a crafted reply_queue_head field from
a guest OS user.

CVE-2020-13765

hw/core/loader: Fix possible crash in rom_copy().

For Debian 8 "Jessie", these problems have been fixed in version
1:2.1+dfsg-12+deb8u15.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://wiki.debian.org/LTS