El-errata: ELSA-2021-9425 Important: Oracle Linux 7 qemu security update
Oracle Linux Security Advisory ELSA-2021-9425
http://linux.oracle.com/errata/ELSA-2021-9425.html
The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:
x86_64:
qemu-common-4.2.1-11.el7.x86_64.rpm
qemu-system-x86-core-4.2.1-11.el7.x86_64.rpm
qemu-block-gluster-4.2.1-11.el7.x86_64.rpm
qemu-block-iscsi-4.2.1-11.el7.x86_64.rpm
qemu-block-rbd-4.2.1-11.el7.x86_64.rpm
qemu-img-4.2.1-11.el7.x86_64.rpm
qemu-4.2.1-11.el7.x86_64.rpm
qemu-kvm-4.2.1-11.el7.x86_64.rpm
qemu-kvm-core-4.2.1-11.el7.x86_64.rpm
qemu-system-x86-4.2.1-11.el7.x86_64.rpm
SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/qemu-4.2.1-11.el7.src.rpm
Related CVEs:
CVE-2021-3392
CVE-2021-3527
CVE-2021-3544
CVE-2021-3545
CVE-2021-3546
CVE-2021-3582
CVE-2021-3607
CVE-2021-3608
Description of changes:
[15:4.2.1-11.el7]
- pvrdma: Fix the ring init error flow (CVE-2021-3608) (Marcel Apfelbaum) [Orabug: 33120142] {CVE-2021-3608}
- pvrdma: Ensure correct input on ring init (CVE-2021-3607) (Marcel Apfelbaum) [Orabug: 33120146] {CVE-2021-3607}
- hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) (Marcel Apfelbaum) [Orabug: 33120084] {CVE-2021-3582}
- vhost-user-gpu: reorder free calls. (Gerd Hoffmann) [Orabug: 32950701] {CVE-2021-3544}
- vhost-user-gpu: abstract vg_cleanup_mapping_iov (Li Qiang) [Orabug: 32950716] {CVE-2021-3546}
- vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546) (Li Qiang) [Orabug: 32950716] {CVE-2021-3546}
- vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544) (Li Qiang) [Orabug: 32950701] {CVE-2021-3544}
- vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544) (Li Qiang) [Orabug: 32950701] {CVE-2021-3544}
- vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544) (Li Qiang) [Orabug: 32950701] {CVE-2021-3544}
- vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) (Li Qiang) [Orabug: 32950701] {CVE-2021-3544}
- vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) (Li Qiang) [Orabug: 32950701] {CVE-2021-3544}
- vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info (CVE-2021-3545) (Li Qiang) [Orabug: 32950708] {CVE-2021-3545}
- usb: limit combined packets to 1 MiB (CVE-2021-3527) (Gerd Hoffmann) [Orabug: 32842778] {CVE-2021-3527}
- usb/redir: avoid dynamic stack allocation (CVE-2021-3527) (Gerd Hoffmann) [Orabug: 32842778] {CVE-2021-3527}
- mptsas: Remove unused MPTSASState 'pending' field (CVE-2021-3392) (Michael Tokarev) [Orabug: 32470463] {CVE-2021-3392}
A qemu security update has been released for Oracle Linux 7.