SUSE_ALP_Standard/patchinfo.20240830091202805976.269002615871826/_patchinfo

59 lines
2.9 KiB
Plaintext

<patchinfo>
<!-- generated from request(s) 343333 -->
<issue tracker="bnc" id="1221812">qemu coredump when virsh migrate postcopy + virsh migrate-postcopy on sle15sp6 kvm host</issue>
<issue tracker="bnc" id="1227322">VUL-0: CVE-2024-4467: qemu: 'qemu-img info' leads to host file read/write</issue>
<issue tracker="bnc" id="1229007">VUL-0: CVE-2024-7409: qemu: denial of service via improper synchronization in QEMU NBD Server during socket closure</issue>
<issue tracker="cve" id="2024-4467"/>
<issue tracker="cve" id="2024-7409"/>
<packager>dfaggioli</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for qemu</summary>
<description>This update for qemu fixes the following issues:
- Fix bsc#1221812:
* block: Reschedule query-block during qcow2 invalidation (bsc#1221812)
- Fix bsc#1229007, CVE-2024-7409:
* nbd/server: CVE-2024-7409: Close stray clients at server-stop (bsc#1229007)
* nbd/server: CVE-2024-7409: Drop non-negotiating clients (bsc#1229007)
* nbd/server: CVE-2024-7409: Cap default max-connections to 100 (bsc#1229007)
* nbd/server: Plumb in new args to nbd_client_add() (bsc#1229007, CVE-2024-7409)
* nbd: Minor style and typo fixes (bsc#1229007, CVE-2024-7409)
- Update to version 8.2.6:
Full backport lists (from the various releases) here:
https://lore.kernel.org/qemu-devel/1721203806.547734.831464.nullmailer@tls.msk.ru/
Some of the upstream backports are:
hw/nvme: fix number of PIDs for FDP RUH update
sphinx/qapidoc: Fix to generate doc for explicit, unboxed arguments
char-stdio: Restore blocking mode of stdout on exit
virtio: remove virtio_tswap16s() call in vring_packed_event_read()
virtio-pci: Fix the failure process in kvm_virtio_pci_vector_use_one()
block: Parse filenames only when explicitly requested
iotests/270: Don't store data-file with json: prefix in image
iotests/244: Don't store data-file with protocol in image
qcow2: Don't open data_file with BDRV_O_NO_IO (bsc#1227322, CVE-2024-4467)
target/arm: Fix FJCVTZS vs flush-to-zero
target/arm: Fix VCMLA Dd, Dn, Dm[idx]
i386/cpu: fixup number of addressable IDs for processor cores in the physical package
tests: Update our CI to use CentOS Stream 9 instead of 8
migration: Fix file migration with fdset
tcg/loongarch64: Fix tcg_out_movi vs some pcrel pointers
target/sparc: use signed denominator in sdiv helper
linux-user: Make TARGET_NR_setgroups affect only the current thread
accel/tcg: Fix typo causing tb-&gt;page_addr[1] to not be recorded
stdvga: fix screen blanking
hw/audio/virtio-snd: Always use little endian audio format
ui/gtk: Draw guest frame at refresh cycle
virtio-net: drop too short packets early
target/i386: fix size of EBP writeback in gen_enter()
</description>
<package>qemu</package>
<package>qemu:qemu-linux-user</package>
<seperate_build_arch/>
</patchinfo>