-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Tokarev uploaded new packages for qemu-kvm which fixed the following security issues:
CVE-2011-0011 Setting the VNC password to an empty string silently disabled all authentication. CVE-2011-1750 The virtio-blk driver performed insufficient validation of read/write I/O from the guest instance, which could lead to denial of service or privilege escalation. CVE-2011-1751 Incorrect memory handling during the removal of ISA devices in KVM could lead to denial of service of the execution of arbitrary code. CVE-2011-2512 incorrect sanitising of virtio queue commands in KVM could lead to denial of service of the execution of arbitrary code. CVE-2010-2784 The subpage MMIO initialization functionality in the subpage_register function in exec.c in KVM does not properly select the index for access to the callback array, which allows guest OS users to cause a denial of service (guest OS crash) or possibly gain privileges via unspecified vectors. For the lenny-backports distribution the problem has been fixed in version 0.12.5+dfsg-5+squeeze4~bpo50+1. If you don't use pinning (see [1]) you have to update the package manually via "apt-get -t lenny-backports install <packagelist>" with the packagelist of your installed packages affected by this update. [1] <http://backports.debian.org/Instructions> We recommend to pin (in /etc/apt/preferences) the backports repository to 200 so that new versions of installed backports will be installed automatically. Package: * Pin: release a=lenny-backports Pin-Priority: 200 We recommend that you upgrade your qemu-kvm packages. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iJwEAQECAAYFAk4R0mAACgkQUlPFrXTwyDi93QQAu6m6l9yan86vrTLw1MGiVqNH +ugCuIuLJbkXbP1QMgR/fSSFLa4tz+JqYx8MrHFi02G9RwqWYFN7ZPht0WF0wLOn nMOG9vsMfEg+svCgc353lVjgtGIciG8vBMnP5ZCHVOMjBq3KsyyoJ5pZwXc1jI6D 8Wi5gYxZzv2yqpvYNhs= =9nCj -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
