Hi everyone, I am pleased to announce that the QEMU v2.3.1 stable release is now available at:
http://wiki.qemu.org/download/qemu-2.3.1.tar.bz2 v2.3.1 is now tagged in the official qemu.git repository, and the stable-2.3 branch has been updated accordingly: http://git.qemu.org/?p=qemu.git;a=shortlog;h=refs/heads/stable-2.3 In addition to the normal array of general bug fixes, this release includes a significant number of security fixes/hardening for a broad range of subsystems, including rtl8139 NIC emulation, Spice/Cirrus/vmware VGA emulation, i8254 PIT emulation, and IDE/SCSI/FDC emulation. See commit/change logs for more details. Users of QEMU 2.3.0 should upgrade to 2.3.1 or 2.4.0 (which also contains above fixes) accordingly. Thank you to everyone involved! CHANGELOG: dfa83a6: Update version for 2.3.1 release (Michael Roth) 35a616e: qemu-char: handle EINTR for TCP character devices (Paolo Bonzini) 35c30d3: rtl8139: check TCP Data Offset field (CVE-2015-5165) (Stefan Hajnoczi) f4c861f: rtl8139: skip offload on short TCP header (CVE-2015-5165) (Stefan Hajnoczi) b7a197c: rtl8139: check IP Total Length field (CVE-2015-5165) (Stefan Hajnoczi) 8561109: rtl8139: check IP Header Length field (CVE-2015-5165) (Stefan Hajnoczi) ce4f451: rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165) (Stefan Hajnoczi) 6722c12: rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165) (Stefan Hajnoczi) 8dd45dc: rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165) (Stefan Hajnoczi) e750591: tcg/mips: fix add2 (Aurelien Jarno) f9c0ae2: tcg/mips: fix TLB loading for BE host with 32-bit guests (Aurelien Jarno) c8bd74d: Fix release_drive on unplugged devices (pci_piix3_xen_ide_unplug) (Stefano Stabellini) d155769: ide: Clear DRQ after handling all expected accesses (Kevin Wolf) 86d6fe4: ide/atapi: Fix START STOP UNIT command completion (Kevin Wolf) 9634e45: ide: Check array bounds before writing to io_buffer (CVE-2015-5154) (Kevin Wolf) 0dc545e: block: qemu-iotests - add check for multiplication overflow in vpc (Jeff Cody) 358f0ee: block: vpc - prevent overflow if max_table_entries >= 0x40000000 (Jeff Cody) 961c74a: scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) (Paolo Bonzini) 98fe91e: vfio/pci: Fix bootindex (Alex Williamson) 46addaa: virtio-net: unbreak any layout (Jason Wang) 5a45687: vfio/pci: Fix RTL8168 NIC quirks (Alex Williamson) 87740ce: mips/kvm: Sign extend registers written to KVM (James Hogan) 8df2a9a: mips/kvm: Fix Big endian 32-bit register access (James Hogan) c5c71e8: block: Initialize local_err in bdrv_append_temp_snapshot (Fam Zheng) 2060efa: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES (马文霜) 8d64975: target-ppc: fix hugepage support when using memory-backend-file (Michael Roth) 9b4420a: spapr_vty: lookup should only return valid VTY objects (David Gibson) 99c3468: s390x/ipl: Fix boot if no bootindex was specified (Christian Borntraeger) 1c17e8c: block/nfs: limit maximum readahead size to 1MB (Peter Lieven) ffd060d: iotests: add QMP event waiting queue (John Snow) e4fb4be: iotests: Use event_wait in wait_ready (Fam Zheng) edc0a65: qemu-iotests: Add test case for mirror with unmap (Fam Zheng) c62f6c8: qemu-iotests: Make block job methods common (Fam Zheng) 3d8b7ae: block: Fix dirty bitmap in bdrv_co_discard (Fam Zheng) 27ed14c: mirror: Do zero write on target if sectors not allocated (Fam Zheng) 6a45a1b: qmp: Add optional bool "unmap" to drive-mirror (Fam Zheng) 6cacd26: block: Add bdrv_get_block_status_above (Fam Zheng) e8248a5: virtio-ccw: complete handling of guest-initiated resets (Cornelia Huck) 81cb0a5: vhost: correctly pass error to caller in vhost_dev_enable_notifiers() (Jason Wang) 6130c46: hw/core: rebase sysbus_get_fw_dev_path() to g_strdup_printf() (Laszlo Ersek) 49ef542: i8254: fix out-of-bounds memory access in pit_ioport_read() (Petr Matousek) c270245: spice-display: fix segfault in qemu_spice_create_update (Gerd Hoffmann) 9272707: sdl2: fix crash in handle_windowevent() when restoring the screen size (Alberto Garcia) c759f1a: vmdk: Use vmdk_find_index_in_cluster everywhere (Fam Zheng) 714b544: vmdk: Fix index_in_cluster calculation in vmdk_co_get_block_status (Fam Zheng) e7e0838: iotests: qcow2 COW with minimal L2 cache size (Max Reitz) c631ee6: qcow2: Set MIN_L2_CACHE_SIZE to 2 (Max Reitz) b153c8d: kbd: add brazil kbd keys to x11 evdev map (Gerd Hoffmann) f450482: kbd: add brazil kbd keys to qemu (Gerd Hoffmann) ae0fa48: qga/commands-posix: Fix bug in guest-fstrim (Justin Ossevoort) bb3a1da: hw/acpi/aml-build: Fix memory leak (Shannon Zhao) b48a391: qemu-iotests: Test unaligned sub-block zero write (Fam Zheng) cc883fe: block: Fix NULL deference for unaligned write if qiov is NULL (Fam Zheng) 4072585: Revert "block: Fix unaligned zero write" (Michael Roth) 959fad0: fdc: force the fifo access to be in bounds of the allocated buffer (Petr Matousek) a4bb522: target-arm: Avoid buffer overrun on UNPREDICTABLE ldrd/strd (Peter Maydell) cf6c213: virtio-net: fix the upper bound when trying to delete queues (Jason Wang) cf32978: usb: fix usb-net segfault (Michal Kazior) ad9c167: qcow2: Flush pending discards before allocating cluster (Kevin Wolf) d8e231f: vmdk: Fix overflow if l1_size is 0x20000000 (Fam Zheng) 53cd79c: vmdk: Fix next_cluster_sector for compressed write (Fam Zheng) 3dd15f3: nbd/trivial: fix type cast for ioctl (Bogdan Purcareata) 4c59860: Strip brackets from vnc host (Ján Tomko) b575af0: block/iscsi: do not forget to logout from target (Peter Lieven) d3b5978: bt-sdp: fix broken uuids power-of-2 calculation (Stefan Hajnoczi)
