7.5 - GLSA-201408-17

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	QEMU: Multiple vulnerabilities

Informations
Name	GLSA-201408-17	First vendor Publication	2014-08-30
Vendor	Gentoo	Last vendor Modification	2014-08-30
Severity (Vendor)	High	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities have been found in QEMU, worst of which allows local attackers to execute arbitrary code.

Background

QEMU is a generic and open source machine emulator and virtualizer.

Description

Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details.

Impact

A local attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All QEMU users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/qemu-2.0.0-r1"

References

[ 1 ] CVE-2013-4544 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4544
[ 2 ] CVE-2014-0142 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0142
[ 3 ] CVE-2014-0143 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0143
[ 4 ] CVE-2014-0144 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0144
[ 5 ] CVE-2014-0145 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0145
[ 6 ] CVE-2014-0146 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0146
[ 7 ] CVE-2014-0147 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0147
[ 8 ] CVE-2014-0150 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0150
[ 9 ] CVE-2014-0222 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0222
[ 10 ] CVE-2014-0223 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0223
[ 11 ] CVE-2014-2894 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2894
[ 12 ] CVE-2014-3461 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3461

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201408-17.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-201408-17.xml

CWE : Common Weakness Enumeration

%	Id	Name
40 %	CWE-189	Numeric Errors (CWE/SANS Top 25)
20 %	CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer
10 %	CWE-476	NULL Pointer Dereference
10 %	CWE-369	Divide By Zero
10 %	CWE-190	Integer Overflow or Wraparound (CWE/SANS Top 25)
10 %	CWE-20	Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:23845

Oval ID:	oval:org.mitre.oval:def:23845
Title:	ELSA-2014:0420: qemu-kvm security update (Moderate)
Description:	KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147) A buffer overflow flaw was found in the way the virtio_net_handle_mac() function of QEMU processed guest requests to update the table of MAC addresses. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0150) A divide-by-zero flaw was found in the seek_to_sector() function of the parallels block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0142) A NULL pointer dereference flaw was found in the QCOW2 block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0146) It was found that the block driver for Hyper-V VHDX images did not correctly calculate BAT (Block Allocation Table) entries due to a missing bounds check. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0148) The CVE-2014-0143 issues were discovered by Kevin Wolf and Stefan Hajnoczi of Red Hat, the CVE-2014-0144 issues were discovered by Fam Zheng, Jeff Cody, Kevin Wolf, and Stefan Hajnoczi of Red Hat, the CVE-2014-0145 issues were discovered by Stefan Hajnoczi of Red Hat, the CVE-2014-0150 issue was discovered by Michael S. Tsirkin of Red Hat, the CVE-2014-0142, CVE-2014-0146, and CVE-2014-0147 issues were discovered by Kevin Wolf of Red Hat, and the CVE-2014-0148 issue was discovered by Jeff Cody of Red Hat. All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Family:	unix	Class:	patch
Reference(s):	ELSA-2014:0420-00 CVE-2014-0142 CVE-2014-0143 CVE-2014-0144 CVE-2014-0145 CVE-2014-0146 CVE-2014-0147 CVE-2014-0148 CVE-2014-0150	Version:	5
Platform(s):	Oracle Linux 6	Product(s):	qemu-kvm
Definition Synopsis:
Oracle Linux 6.x rpm test qemu-kvm-tools is earlier than 2:0.12.1.2-2.415.el6_5.8 AND qemu-guest-agent is earlier than 2:0.12.1.2-2.415.el6_5.8 AND qemu-img is earlier than 2:0.12.1.2-2.415.el6_5.8 AND qemu-kvm is earlier than 2:0.12.1.2-2.415.el6_5.8

Definition Id: oval:org.mitre.oval:def:24016

Oval ID:	oval:org.mitre.oval:def:24016
Title:	USN-2182-1 -- qemu, qemu-kvm vulnerabilities
Description:	Several security issues were fixed in QEMU.
Family:	unix	Class:	patch
Reference(s):	USN-2182-1 CVE-2013-4544 CVE-2014-0150 CVE-2014-2894	Version:	5
Platform(s):	Ubuntu 14.04 Ubuntu 13.10 Ubuntu 12.10 Ubuntu 12.04 Ubuntu 10.04	Product(s):	qemu qemu-kvm
Definition Synopsis:
Ubuntu 14.04 release section Ubuntu 14.04 is installed Packages match section qemu-system DPKG is earlier than 0:2.0.0~rc1+dfsg-0ubuntu3.1 AND qemu-system-aarch64 DPKG is earlier than 0:2.0.0~rc1+dfsg-0ubuntu3.1 AND qemu-system-arm DPKG is earlier than 0:2.0.0~rc1+dfsg-0ubuntu3.1 AND qemu-system-mips DPKG is earlier than 0:2.0.0~rc1+dfsg-0ubuntu3.1 AND qemu-system-misc DPKG is earlier than 0:2.0.0~rc1+dfsg-0ubuntu3.1 AND qemu-system-ppc DPKG is earlier than 0:2.0.0~rc1+dfsg-0ubuntu3.1 AND qemu-system-sparc DPKG is earlier than 0:2.0.0~rc1+dfsg-0ubuntu3.1 AND qemu-system-x86 DPKG is earlier than 0:2.0.0~rc1+dfsg-0ubuntu3.1 AND Ubuntu 13.10 release section Ubuntu 13.10 is installed Packages match section qemu-system DPKG is earlier than 0:1.5.0+dfsg-3ubuntu5.4 AND qemu-system-arm DPKG is earlier than 0:1.5.0+dfsg-3ubuntu5.4 AND qemu-system-mips DPKG is earlier than 0:1.5.0+dfsg-3ubuntu5.4 AND qemu-system-misc DPKG is earlier than 0:1.5.0+dfsg-3ubuntu5.4 AND qemu-system-ppc DPKG is earlier than 0:1.5.0+dfsg-3ubuntu5.4 AND qemu-system-sparc DPKG is earlier than 0:1.5.0+dfsg-3ubuntu5.4 AND qemu-system-x86 DPKG is earlier than 0:1.5.0+dfsg-3ubuntu5.4 AND Ubuntu 12.10 release section Ubuntu 12.10 is installed AND qemu-kvm DPKG is earlier than 0:1.2.0+noroms-0ubuntu2.12.10.7 AND Ubuntu 12.04 release section Ubuntu 12.04 is installed AND qemu-kvm DPKG is earlier than 0:1.0+noroms-0ubuntu14.14 AND Ubuntu 10.04 release section Ubuntu 10.04 is installed AND qemu-kvm DPKG is earlier than 0:0.12.3+noroms-0ubuntu9.22

Definition Id: oval:org.mitre.oval:def:24104

Oval ID:	oval:org.mitre.oval:def:24104
Title:	RHSA-2014:0420: qemu-kvm security update (Moderate)
Description:	KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147) A buffer overflow flaw was found in the way the virtio_net_handle_mac() function of QEMU processed guest requests to update the table of MAC addresses. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0150) A divide-by-zero flaw was found in the seek_to_sector() function of the parallels block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0142) A NULL pointer dereference flaw was found in the QCOW2 block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0146) It was found that the block driver for Hyper-V VHDX images did not correctly calculate BAT (Block Allocation Table) entries due to a missing bounds check. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0148) The CVE-2014-0143 issues were discovered by Kevin Wolf and Stefan Hajnoczi of Red Hat, the CVE-2014-0144 issues were discovered by Fam Zheng, Jeff Cody, Kevin Wolf, and Stefan Hajnoczi of Red Hat, the CVE-2014-0145 issues were discovered by Stefan Hajnoczi of Red Hat, the CVE-2014-0150 issue was discovered by Michael S. Tsirkin of Red Hat, the CVE-2014-0142, CVE-2014-0146, and CVE-2014-0147 issues were discovered by Kevin Wolf of Red Hat, and the CVE-2014-0148 issue was discovered by Jeff Cody of Red Hat. All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Family:	unix	Class:	patch
Reference(s):	RHSA-2014:0420-00 CESA-2014:0420 CVE-2014-0142 CVE-2014-0143 CVE-2014-0144 CVE-2014-0145 CVE-2014-0146 CVE-2014-0147 CVE-2014-0148 CVE-2014-0150	Version:	3
Platform(s):	Red Hat Enterprise Linux 6 CentOS Linux 6	Product(s):	qemu-kvm
Definition Synopsis:
Redhat 6 or Centos 6 release The operating system installed on the system is Red Hat Enterprise Linux 6 AND The operating system installed on the system is CentOS Linux 6.x Packages section qemu-kvm-tools is earlier than 2:0.12.1.2-2.415.el6_5.8 AND qemu-guest-agent is earlier than 2:0.12.1.2-2.415.el6_5.8 AND qemu-img is earlier than 2:0.12.1.2-2.415.el6_5.8 AND qemu-kvm is earlier than 2:0.12.1.2-2.415.el6_5.8

Definition Id: oval:org.mitre.oval:def:24231

Oval ID:	oval:org.mitre.oval:def:24231
Title:	DSA-2909-1 qemu - security update
Description:	Michael S. Tsirkin of Red Hat discovered a buffer overflow flaw in the way qemu processed MAC addresses table update requests from the guest.
Family:	unix	Class:	patch
Reference(s):	DSA-2909-1 CVE-2014-0150	Version:	5
Platform(s):	Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7	Product(s):	qemu
Definition Synopsis:
Debian 6.0 release section Debian 6.0 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND qemu DPKG is earlier than 0:0.12.5+dfsg-3squeeze4 AND Debian 7.x release section Debian 7 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND qemu DPKG is earlier than 0:1.1.2+dfsg-6a+deb7u1

Definition Id: oval:org.mitre.oval:def:24717

Oval ID:	oval:org.mitre.oval:def:24717
Title:	DSA-2910-1 qemu-kvm - security update
Description:	Michael S. Tsirkin of Red Hat discovered a buffer overflow flaw in the way qemu processed MAC addresses table update requests from the guest.
Family:	unix	Class:	patch
Reference(s):	DSA-2910-1 CVE-2014-0150	Version:	5
Platform(s):	Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7	Product(s):	qemu-kvm
Definition Synopsis:
Debian 6.0 release section Debian 6.0 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND qemu-kvm DPKG is earlier than 0:0.12.5+dfsg-5+squeeze11 AND Debian 7.x release section Debian 7 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND qemu-kvm DPKG is earlier than 0:1.1.2+dfsg-6+deb7u1

Definition Id: oval:org.mitre.oval:def:24919

Oval ID:	oval:org.mitre.oval:def:24919
Title:	ELSA-2014:0743: qemu-kvm security and bug fix update (Moderate)
Description:	KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way the virtio, virtio-net, virtio-scsi, and usb drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) An out-of-bounds memory access flaw was found in the way QEMU's IDE device driver handled the execution of SMART EXECUTE OFFLINE commands. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-2894) The CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, and CVE-2014-3461 issues were discovered by Michael S. Tsirkin of Red Hat, Anthony Liguori, and Michael Roth. This update also fixes the following bugs: * Previously, under certain circumstances, libvirt failed to start guests which used a non-zero PCI domain and SR-IOV Virtual Functions (VFs), and returned the following error message: Can't assign device inside non-zero PCI segment as this KVM module doesn't support it. This update fixes this issue and guests using the aforementioned configuration no longer fail to start. (BZ#1099941) * Due to an incorrect initialization of the cpus_sts bitmap, which holds the enablement status of a vCPU, libvirt could fail to start a guest with an unusual vCPU topology (for example, a guest with three cores and two sockets). With this update, the initialization of cpus_sts has been corrected, and libvirt no longer fails to start the aforementioned guests. (BZ#1100575) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Family:	unix	Class:	patch
Reference(s):	ELSA-2014:0743-00 CVE-2013-4148 CVE-2013-4151 CVE-2013-4535 CVE-2013-4536 CVE-2013-4541 CVE-2013-4542 CVE-2013-6399 CVE-2014-0182 CVE-2014-2894 CVE-2014-3461	Version:	4
Platform(s):	Oracle Linux 6	Product(s):	qemu-kvm
Definition Synopsis:
Oracle Linux 6.x rpm test qemu-guest-agent is earlier than 2:0.12.1.2-2.415.el6_5.10 AND qemu-kvm-tools is earlier than 2:0.12.1.2-2.415.el6_5.10 AND qemu-kvm is earlier than 2:0.12.1.2-2.415.el6_5.10 AND qemu-img is earlier than 2:0.12.1.2-2.415.el6_5.10

Definition Id: oval:org.mitre.oval:def:25072

Oval ID:	oval:org.mitre.oval:def:25072
Title:	RHSA-2014:0704: qemu-kvm security and bug fix update (Moderate)
Description:	KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide a user-space component to run virtual machines using KVM. An out-of-bounds memory access flaw was found in the way QEMU's IDE device driver handled the execution of SMART EXECUTE OFFLINE commands. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-2894) This update also fixes the following bugs: * Prior to this update, a bug in the migration code caused the following error on specific machine types: after a Red Hat Enterprise Linux 6.5 guest was migrated from a Red Hat Enterprise Linux 6.5 host to a Red Hat Enterprise Linux 7.0 host and then restarted, the boot failed and the guest automatically restarted. Thus, the guest entered an endless loop. With this update, the migration code has been fixed and the Red Hat Enterprise Linux 6.5 guests migrated in the aforementioned scenario now boot properly. (BZ#1091322) * Due to a regression bug in the iSCSI driver, the qemu-kvm process terminated unexpectedly with a segmentation fault when the "write same" command was executed in guest mode under the iSCSI protocol. This update fixes the regression and the "write same" command now functions in guest mode under iSCSI as intended. (BZ#1090978) * Due to a mismatch in interrupt request (IRQ) routing, migration of a Red Hat Enterprise Linux 6.5 guest from a Red Hat Enterprise Linux 6.5 host to a Red Hat Enterprise Linux 7.0 host could produce a call trace. This happened if memory ballooning and a Universal Host Control Interface (UHCI) device were used at the same time on certain machine types. With this patch, the IRQ routing mismatch has been amended and the described migration now proceeds as expected. (BZ#1090981) * Previously, an internal error prevented KVM from executing a CPU hot plug on a Red Hat Enterprise Linux 7 guest running on a Red Hat Enterprise Linux 7 host. This update addresses the internal error and CPU hot plugging in the described scenario now functions correctly. (BZ#1094820) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Family:	unix	Class:	patch
Reference(s):	RHSA-2014:0704-00 CVE-2014-2894	Version:	4
Platform(s):	Red Hat Enterprise Linux 7 CentOS Linux 7	Product(s):	qemu-kvm
Definition Synopsis:
RHEL 7 The operating system installed on the system is Red Hat Enterprise Linux 7 AND Packages section libcacard is earlier than 10:1.5.3-60.el7_0.2 AND qemu-kvm-tools is earlier than 10:1.5.3-60.el7_0.2 AND libcacard-tools is earlier than 10:1.5.3-60.el7_0.2 AND qemu-guest-agent is earlier than 10:1.5.3-60.el7_0.2 AND qemu-kvm-common is earlier than 10:1.5.3-60.el7_0.2 AND libcacard-devel is earlier than 10:1.5.3-60.el7_0.2 AND qemu-kvm is earlier than 10:1.5.3-60.el7_0.2 AND qemu-img is earlier than 10:1.5.3-60.el7_0.2 OR CentOS 7 The operating system installed on the system is CentOS Linux 7.x AND qemu-kvm is earlier than 10:1.5.3-60.el7_0.2

Definition Id: oval:org.mitre.oval:def:25091

Oval ID:	oval:org.mitre.oval:def:25091
Title:	RHSA-2014:0927: qemu-kvm security and bug fix update (Moderate)
Description:	KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way virtio, virtio-net, virtio-scsi, usb, and hpet drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) These issues were discovered by Michael S. Tsirkin, Anthony Liguori and Michael Roth of Red Hat: CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, and CVE-2014-3461.
Family:	unix	Class:	patch
Reference(s):	RHSA-2014:0927-01 CVE-2013-4148 CVE-2013-4149 CVE-2013-4150 CVE-2013-4151 CVE-2013-4527 CVE-2013-4529 CVE-2013-4535 CVE-2013-4536 CVE-2013-4541 CVE-2013-4542 CVE-2013-6399 CVE-2014-0182 CVE-2014-0222 CVE-2014-0223 CVE-2014-3461 CESA-2014:0927	Version:	5
Platform(s):	Red Hat Enterprise Linux 7 CentOS Linux 7	Product(s):	qemu-kvm
Definition Synopsis:
Red Hat Enterprise Linux 7 and CentOS Linux 7 release section Operation system section The operating system installed on the system is Red Hat Enterprise Linux 7 AND The operating system installed on the system is CentOS Linux 7.x Packages match section libcacard is earlier than 10:1.5.3-60.el7_0.5 AND libcacard-devel is earlier than 10:1.5.3-60.el7_0.5 AND libcacard-tools is earlier than 10:1.5.3-60.el7_0.5 AND qemu-guest-agent is earlier than 10:1.5.3-60.el7_0.5 AND qemu-img is earlier than 10:1.5.3-60.el7_0.5 AND qemu-kvm is earlier than 10:1.5.3-60.el7_0.5 AND qemu-kvm-common is earlier than 10:1.5.3-60.el7_0.5 AND qemu-kvm-tools is earlier than 10:1.5.3-60.el7_0.5 AND Red Hat Enterprise Linux 7 release section The operating system installed on the system is Red Hat Enterprise Linux 7 AND qemu-kvm-debuginfo is earlier than 10:1.5.3-60.el7_0.5

Definition Id: oval:org.mitre.oval:def:25125

Oval ID:	oval:org.mitre.oval:def:25125
Title:	RHSA-2014:0743: qemu-kvm security and bug fix update (Moderate)
Description:	KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way the virtio, virtio-net, virtio-scsi, and usb drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) An out-of-bounds memory access flaw was found in the way QEMU's IDE device driver handled the execution of SMART EXECUTE OFFLINE commands. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-2894) The CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, and CVE-2014-3461 issues were discovered by Michael S. Tsirkin of Red Hat, Anthony Liguori, and Michael Roth. This update also fixes the following bugs: * Previously, under certain circumstances, libvirt failed to start guests which used a non-zero PCI domain and SR-IOV Virtual Functions (VFs), and returned the following error message: Can't assign device inside non-zero PCI segment as this KVM module doesn't support it. This update fixes this issue and guests using the aforementioned configuration no longer fail to start. (BZ#1099941) * Due to an incorrect initialization of the cpus_sts bitmap, which holds the enablement status of a vCPU, libvirt could fail to start a guest with an unusual vCPU topology (for example, a guest with three cores and two sockets). With this update, the initialization of cpus_sts has been corrected, and libvirt no longer fails to start the aforementioned guests. (BZ#1100575) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Family:	unix	Class:	patch
Reference(s):	RHSA-2014:0743-00 CESA-2014:0743 CVE-2013-4148 CVE-2013-4151 CVE-2013-4535 CVE-2013-4536 CVE-2013-4541 CVE-2013-4542 CVE-2013-6399 CVE-2014-0182 CVE-2014-2894 CVE-2014-3461	Version:	3
Platform(s):	Red Hat Enterprise Linux 6 CentOS Linux 6	Product(s):	qemu-kvm
Definition Synopsis:
Redhat 6 or Centos 6 release The operating system installed on the system is Red Hat Enterprise Linux 6 AND The operating system installed on the system is CentOS Linux 6.x Packages section qemu-guest-agent is earlier than 2:0.12.1.2-2.415.el6_5.10 AND qemu-kvm-tools is earlier than 2:0.12.1.2-2.415.el6_5.10 AND qemu-kvm is earlier than 2:0.12.1.2-2.415.el6_5.10 AND qemu-img is earlier than 2:0.12.1.2-2.415.el6_5.10

Definition Id: oval:org.mitre.oval:def:25155

Oval ID:	oval:org.mitre.oval:def:25155
Title:	RHSA-2014:0426: qemu-kvm security update (Moderate)
Description:	KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. ... All users of qemu-kvm should upgrade to these updated packages, which contain backported patches to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Family:	unix	Class:	patch
Reference(s):	RHSA-2014:0426-00 CVE-2014-0142 CVE-2014-0143 CVE-2014-0144 CVE-2014-0145 CVE-2014-0146 CVE-2014-0147 CVE-2014-0148 CVE-2014-0150	Version:	3
Platform(s):	Red Hat Enterprise Linux 6	Product(s):
Definition Synopsis:
The operating system installed on the system is Red Hat Enterprise Linux 6 Packages section qemu-guest-agent is earlier than 2:0.12.1.2-2.415.el6_5.8 AND qemu-img is earlier than 2:0.12.1.2-2.415.el6_5.8 AND qemu-kvm is earlier than 2:0.12.1.2-2.415.el6_5.8 AND qemu-kvm-tools is earlier than 2:0.12.1.2-2.415.el6_5.8

Definition Id: oval:org.mitre.oval:def:25200

Oval ID:	oval:org.mitre.oval:def:25200
Title:	ELSA-2014:0426: qemu-kvm security update (Moderate)
Description:	KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. ... All users of qemu-kvm should upgrade to these updated packages, which contain backported patches to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Family:	unix	Class:	patch
Reference(s):	ELSA-2014:0426-00 CVE-2014-0142 CVE-2014-0143 CVE-2014-0144 CVE-2014-0145 CVE-2014-0146 CVE-2014-0147 CVE-2014-0148 CVE-2014-0150	Version:	4
Platform(s):	Oracle Linux 6	Product(s):	qemu qemu-kvm
Definition Synopsis:
Oracle Linux 6.x rpm test qemu-guest-agent is earlier than 2:0.12.1.2-2.415.el6_5.8 AND qemu-img is earlier than 2:0.12.1.2-2.415.el6_5.8 AND qemu-kvm is earlier than 2:0.12.1.2-2.415.el6_5.8 AND qemu-kvm-tools is earlier than 2:0.12.1.2-2.415.el6_5.8

Definition Id: oval:org.mitre.oval:def:26667

Oval ID:	oval:org.mitre.oval:def:26667
Title:	RHSA-2014:1075: qemu-kvm security and bug fix update (Moderate)
Description:	KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM.
Family:	unix	Class:	patch
Reference(s):	RHSA-2014:1075-00 CESA-2014:1075 CVE-2014-0222 CVE-2014-0223	Version:	3
Platform(s):	Red Hat Enterprise Linux 6 CentOS Linux 6	Product(s):	qemu-kvm
Definition Synopsis:
Redhat 6 or Centos 6 release The operating system installed on the system is Red Hat Enterprise Linux 6 AND The operating system installed on the system is CentOS Linux 6.x Packages section qemu-guest-agent is earlier than 2:0.12.1.2-2.415.el6_5.14 AND qemu-img is earlier than 2:0.12.1.2-2.415.el6_5.14 AND qemu-kvm is earlier than 2:0.12.1.2-2.415.el6_5.14 AND qemu-kvm-tools is earlier than 2:0.12.1.2-2.415.el6_5.14

Definition Id: oval:org.mitre.oval:def:26880

Oval ID:	oval:org.mitre.oval:def:26880
Title:	ELSA-2014-1075 -- qemu-kvm security and bug fix update (moderate)
Description:	[0.12.1.2-2.415.el6_5.14] - The commit for zrelease .13 was incomplete; the changes to qemu-kvm.spec did not include the '%patchNNNN -p1' lines for patches 4647 through 4655; so although the patch files themselves were committed, the srpm build did not pick them up. In addition, the commit log did not describe the patches. This commit corrects these problems and bumps the zrelease to .14.
Family:	unix	Class:	patch
Reference(s):	ELSA-2014-1075 CVE-2014-0222 CVE-2014-0223	Version:	5
Platform(s):	Oracle Linux 6	Product(s):	qemu-kvm
Definition Synopsis:
Oracle Linux 6.x Packages match section qemu-kvm is earlier than 2:0.12.1.2-2.415.el6_5.14 AND qemu-guest-agent is earlier than 2:0.12.1.2-2.415.el6_5.14

Definition Id: oval:org.mitre.oval:def:26937

Oval ID:	oval:org.mitre.oval:def:26937
Title:	DEPRECATED: ELSA-2014-0743 -- qemu-kvm security and bug fix update (moderate)
Description:	[0.12.1.2-2.415.el6_5.10] - kvm-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch [bz#1095692] - kvm-usb-sanity-check-setup_index-setup_len-in-post_load.patch [bz#1095743] - kvm-usb-sanity-check-setup_index-setup_len-in-post_load-2.patch [bz#1095743] - kvm-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch [bz#1095739] - kvm-virtio-avoid-buffer-overrun-on-incoming-migration.patch [bz#1095735] - kvm-virtio-validate-num_sg-when-mapping.patch [bz#1095763 bz#1096124] - kvm-virtio-allow-mapping-up-to-max-queue-size.patch [bz#1095763 bz#1096124] - kvm-enable-PCI-multiple-segments-for-pass-through-device.patch [bz#1099941] - kvm-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch [bz#1095675] - kvm-virtio-validate-config_len-on-load.patch [bz#1095779] - kvm-usb-fix-up-post-load-checks.patch [bz#1096825] - kvm-CPU-hotplug-use-apic_id_for_cpu-round-2-RHEL-6-only.patch [bz#1100575] [0.12.1.2-2.415.el6_5.9] - kvm-ide-Correct-improper-smart-self-test-counter-reset-i.patch [bz#1087978] - Resolves: bz#1087978 (CVE-2014-2894 qemu-kvm: QEMU: out of bounds buffer accesses, guest triggerable via IDE SMART [rhel-6.5.z])
Family:	unix	Class:	patch
Reference(s):	ELSA-2014-0743 CVE-2013-4148 CVE-2013-4151 CVE-2013-4535 CVE-2013-4536 CVE-2013-4541 CVE-2013-4542 CVE-2013-6399 CVE-2014-0182 CVE-2014-2894 CVE-2014-3461	Version:	5
Platform(s):	Oracle Linux 6	Product(s):	qemu-kvm
Definition Synopsis:
Oracle Linux 6.x Packages match section qemu-kvm is earlier than 2:0.12.1.2-2.415.el6_5.10 AND qemu-guest-agent is earlier than 2:0.12.1.2-2.415.el6_5.10

Definition Id: oval:org.mitre.oval:def:27143

Oval ID:	oval:org.mitre.oval:def:27143
Title:	SUSE-SU-2014:1278-1 -- Security update for kvm
Description:	kvm has been updated to fix issues in the embedded qemu: * CVE-2014-0223: An integer overflow flaw was found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could have used this flaw to corrupt QEMU process memory on the host, which could potentially have resulted in arbitrary code execution on the host with the privileges of the QEMU process. * CVE-2014-3461: A user able to alter the savevm data (either on the disk or over the wire during migration) could have used this flaw to to corrupt QEMU process memory on the (destination) host, which could have potentially resulted in arbitrary code execution on the host with the privileges of the QEMU process. * CVE-2014-0222: An integer overflow flaw was found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could have used this flaw to corrupt QEMU process memory on the host, which could have potentially resulted in arbitrary code execution on the host with the privileges of the QEMU process. Non-security bugs fixed: * Fix exceeding IRQ routes that could have caused freezes of guests. (bnc#876842) * Fix CPUID emulation bugs that may have broken Windows guests with newer -cpu types (bnc#886535) Security Issues: * CVE-2014-0222 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0222> * CVE-2014-0223 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0223> * CVE-2014-3461 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3461>
Family:	unix	Class:	patch
Reference(s):	SUSE-SU-2014:1278-1 CVE-2014-0223 CVE-2014-3461 CVE-2014-0222	Version:	3
Platform(s):	SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11	Product(s):	kvm
Definition Synopsis:
Operation system section SUSE Linux Enterprise Server 11.x is installed AND SUSE Linux Enterprise Desktop 11.x is installed AND kvm RPM is earlier than 0:1.4.2-0.17.1

Definition Id: oval:org.mitre.oval:def:27160

Oval ID:	oval:org.mitre.oval:def:27160
Title:	ELSA-2014-0927 -- qemu-kvm security and bug fix update (moderate)
Description:	[1.5.3-60.el7_0.5] - kvm-Allow-mismatched-virtio-config-len.patch [bz#1095782] - Resolves: bz#1095782 (CVE-2014-0182 qemu-kvm: qemu: virtio: out-of-bounds buffer write on state load with invalid config_len [rhel-7.0.z])
Family:	unix	Class:	patch
Reference(s):	ELSA-2014-0927 CVE-2013-4148 CVE-2013-4151 CVE-2013-4535 CVE-2013-4536 CVE-2013-4541 CVE-2013-4542 CVE-2013-6399 CVE-2014-0182 CVE-2014-3461 CVE-2013-4149 CVE-2013-4150 CVE-2013-4527 CVE-2013-4529 CVE-2014-0222 CVE-2014-0223	Version:	5
Platform(s):	Oracle Linux 7	Product(s):	qemu-kvm
Definition Synopsis:
Oracle Linux 7.x Packages match section qemu-kvm is earlier than 10:1.5.3-60.el7_0.5 AND libcacard is earlier than 10:1.5.3-60.el7_0.5 AND libcacard-devel is earlier than 10:1.5.3-60.el7_0.5 AND libcacard-tools is earlier than 10:1.5.3-60.el7_0.5 AND qemu-guest-agent is earlier than 10:1.5.3-60.el7_0.5 AND qemu-img is earlier than 10:1.5.3-60.el7_0.5 AND qemu-kvm-common is earlier than 10:1.5.3-60.el7_0.5 AND qemu-kvm-tools is earlier than 10:1.5.3-60.el7_0.5

Definition Id: oval:org.mitre.oval:def:27247

Oval ID:	oval:org.mitre.oval:def:27247
Title:	ELSA-2014-0704 -- qemu-kvm security and bug fix update (moderate)
Description:	[1.5.3-60.el7_0.2] - kvm-pc-add-hot_add_cpu-callback-to-all-machine-types.patch [bz#1094820] - Resolves: bz#1094820 (Hot plug CPU not working with RHEL6 machine types running on RHEL7 host.) [1.5.3-60.el7_0.1] - kvm-iscsi-fix-indentation.patch [bz#1090978] - kvm-iscsi-correctly-propagate-errors-in-iscsi_open.patch [bz#1090978] - kvm-block-iscsi-query-for-supported-VPD-pages.patch [bz#1090978] - kvm-block-iscsi-fix-segfault-if-writesame-fails.patch [bz#1090978] - kvm-iscsi-recognize-invalid-field-ASCQ-from-WRITE-SAME-c.patch [bz#1090978] - kvm-iscsi-ignore-flushes-on-scsi-generic-devices.patch [bz#1090978] - kvm-iscsi-always-query-max-WRITE-SAME-length.patch [bz#1090978] - kvm-iscsi-Don-t-set-error-if-already-set-in-iscsi_do_inq.patch [bz#1090978] - kvm-iscsi-Remember-to-set-ret-for-iscsi_open-in-error-ca.patch [bz#1090978] - kvm-qemu_loadvm_state-shadow-SeaBIOS-for-VM-incoming-fro.patch [1091322] - kvm-uhci-UNfix-irq-routing-for-RHEL-6-machtypes-RHEL-onl.patch [bz#1090981] - kvm-ide-Correct-improper-smart-self-test-counter-reset-i.patch [bz#1093612] - Resolves: bz#1091322 (fail to reboot guest after migration from RHEL6.5 host to RHEL7.0 host) - Resolves: bz#1090981 (Guest hits call trace migrate from RHEL6.5 to RHEL7.0 host with -M 6.1 & balloon & uhci device) - Resolves: bz#1090978 (qemu-kvm: iSCSI: Failure. SENSE KEY:ILLEGAL_REQUEST(5) ASCQ:INVALID_FIELD_IN_CDB(0x2400)) - Resolves: bz#1093612 (CVE-2014-2894 qemu-kvm: QEMU: out of bounds buffer accesses, guest triggerable via IDE SMART [rhel-7.0.z])
Family:	unix	Class:	patch
Reference(s):	ELSA-2014-0704 CVE-2014-2894	Version:	5
Platform(s):	Oracle Linux 7	Product(s):	qemu-kvm
Definition Synopsis:
Oracle Linux 7.x Packages match section qemu-kvm is earlier than 10:1.5.3-60.el7_0.2 AND libcacard is earlier than 10:1.5.3-60.el7_0.2 AND libcacard-devel is earlier than 10:1.5.3-60.el7_0.2 AND libcacard-tools is earlier than 10:1.5.3-60.el7_0.2 AND qemu-guest-agent is earlier than 10:1.5.3-60.el7_0.2 AND qemu-img is earlier than 10:1.5.3-60.el7_0.2 AND qemu-kvm-common is earlier than 10:1.5.3-60.el7_0.2 AND qemu-kvm-tools is earlier than 10:1.5.3-60.el7_0.2

CPE : Common Platform Enumeration

Type	Description	Count
Application	Qemu cpe:2.3:a:qemu:qemu:2.0.0:rc0:::::: cpe:2.3:a:qemu:qemu:2.0.0:rc2:::::: cpe:2.3:a:qemu:qemu:2.0.0:rc3:::::: cpe:2.3:a:qemu:qemu:2.0.0:rc1:::::: cpe:2.3:a:qemu:qemu:2.0.0:-:::::: cpe:2.3:a:qemu:qemu:1.7.1:::::::* cpe:2.3:a:qemu:qemu:1.6.2:::::::* cpe:2.3:a:qemu:qemu:1.6.1:::::::* cpe:2.3:a:qemu:qemu:1.6.0:rc3:::::: cpe:2.3:a:qemu:qemu:1.6.0:rc2:::::: cpe:2.3:a:qemu:qemu:1.6.0:rc1:::::: cpe:2.3:a:qemu:qemu:1.6.0:-:::::: cpe:2.3:a:qemu:qemu:1.5.3:::::::* cpe:2.3:a:qemu:qemu:1.5.2:::::::* cpe:2.3:a:qemu:qemu:1.5.1:::::::* cpe:2.3:a:qemu:qemu:1.5.0:rc1:::::: cpe:2.3:a:qemu:qemu:1.5.0:rc2:::::: cpe:2.3:a:qemu:qemu:1.5.0:-:::::: cpe:2.3:a:qemu:qemu:1.5.0:rc3:::::: cpe:2.3:a:qemu:qemu:1.4.2:::::::* cpe:2.3:a:qemu:qemu:1.4.1:::::::* cpe:2.3:a:qemu:qemu:1.4.0:-:::::: cpe:2.3:a:qemu:qemu:1.4.0:rc1:::::: cpe:2.3:a:qemu:qemu:1.4.0:rc0:::::: cpe:2.3:a:qemu:qemu:1.3.1:::::::* cpe:2.3:a:qemu:qemu:1.3.0:rc0:::::: cpe:2.3:a:qemu:qemu:1.3.0:rc2:::::: cpe:2.3:a:qemu:qemu:1.3.0:::::::* cpe:2.3:a:qemu:qemu:1.3.0:rc1:::::: cpe:2.3:a:qemu:qemu:1.2.2:::::::* cpe:2.3:a:qemu:qemu:1.2.1:::::::* cpe:2.3:a:qemu:qemu:1.2.0:rc1:::::: cpe:2.3:a:qemu:qemu:1.2.0:rc0:::::: cpe:2.3:a:qemu:qemu:1.2.0:-:::::: cpe:2.3:a:qemu:qemu:1.2.0:rc3:::::: cpe:2.3:a:qemu:qemu:1.2.0:rc2:::::: cpe:2.3:a:qemu:qemu:1.1.2:::::::* cpe:2.3:a:qemu:qemu:1.1.1:::::::* cpe:2.3:a:qemu:qemu:1.1:rc4:::::: cpe:2.3:a:qemu:qemu:1.1:rc1:::::: cpe:2.3:a:qemu:qemu:1.1:rc2:::::: cpe:2.3:a:qemu:qemu:1.1:rc3:::::: cpe:2.3:a:qemu:qemu:1.1:-:::::: cpe:2.3:a:qemu:qemu:1.0.1:::::::* cpe:2.3:a:qemu:qemu:1.0:rc3:::::: cpe:2.3:a:qemu:qemu:1.0:rc2:::::: cpe:2.3:a:qemu:qemu:1.0:rc1:::::: cpe:2.3:a:qemu:qemu:1.0:rc4:::::: cpe:2.3:a:qemu:qemu:1.0:-:::::: cpe:2.3:a:qemu:qemu:1:2.1+dfsg-12+deb8u6:::::::* cpe:2.3:a:qemu:qemu:1:2.8+dfsg-6+deb9u8:::::::* cpe:2.3:a:qemu:qemu:1:3.1+dfsg-8+deb10u2:::::::* cpe:2.3:a:qemu:qemu:1:3.1+dfsg-8~deb10u1:::::::* cpe:2.3:a:qemu:qemu:1:4.1-1:::::::* cpe:2.3:a:qemu:qemu:0.9.1-5:::::::* cpe:2.3:a:qemu:qemu:0.9.1:::::::* cpe:2.3:a:qemu:qemu:0.9.0:::::::* cpe:2.3:a:qemu:qemu:0.8.2:::::::* cpe:2.3:a:qemu:qemu:0.8.1:::::::* cpe:2.3:a:qemu:qemu:0.8.0:::::::* cpe:2.3:a:qemu:qemu:0.7.2:::::::* cpe:2.3:a:qemu:qemu:0.7.1:::::::* cpe:2.3:a:qemu:qemu:0.7.0:::::::* cpe:2.3:a:qemu:qemu:0.6.1:::::::* cpe:2.3:a:qemu:qemu:0.6.0:::::::* cpe:2.3:a:qemu:qemu:0.5.5:::::::* cpe:2.3:a:qemu:qemu:0.5.4:::::::* cpe:2.3:a:qemu:qemu:0.5.3:::::::* cpe:2.3:a:qemu:qemu:0.5.2:::::::* cpe:2.3:a:qemu:qemu:0.5.1:::::::* cpe:2.3:a:qemu:qemu:0.5.0:::::::* cpe:2.3:a:qemu:qemu:0.4.3:::::::* cpe:2.3:a:qemu:qemu:0.4.2:::::::* cpe:2.3:a:qemu:qemu:0.4.1:::::::* cpe:2.3:a:qemu:qemu:0.4.0:::::::* cpe:2.3:a:qemu:qemu:0.3.0:::::::* cpe:2.3:a:qemu:qemu:0.2.0:::::::* cpe:2.3:a:qemu:qemu:0.15.2:::::::* cpe:2.3:a:qemu:qemu:0.15.1:::::::* cpe:2.3:a:qemu:qemu:0.15.0:rc2:::::: cpe:2.3:a:qemu:qemu:0.15.0:rc1:::::: cpe:2.3:a:qemu:qemu:0.15.0:-:::::: cpe:2.3:a:qemu:qemu:0.14.1:::::::* cpe:2.3:a:qemu:qemu:0.14.0:-:::::: cpe:2.3:a:qemu:qemu:0.14.0:rc2:::::: cpe:2.3:a:qemu:qemu:0.14.0:rc1:::::: cpe:2.3:a:qemu:qemu:0.14.0:rc0:::::: cpe:2.3:a:qemu:qemu:0.13.0:-:::::: cpe:2.3:a:qemu:qemu:0.13.0:rc1:::::: cpe:2.3:a:qemu:qemu:0.13.0:rc0:::::: cpe:2.3:a:qemu:qemu:0.12.5:::::::* cpe:2.3:a:qemu:qemu:0.12.4:::::::* cpe:2.3:a:qemu:qemu:0.12.3:::::::* cpe:2.3:a:qemu:qemu:0.12.2:::::::* cpe:2.3:a:qemu:qemu:0.12.1:::::::* cpe:2.3:a:qemu:qemu:0.12.0:rc1:::::: cpe:2.3:a:qemu:qemu:0.12.0:-:::::: cpe:2.3:a:qemu:qemu:0.12.0:rc2:::::: cpe:2.3:a:qemu:qemu:0.11.1:::::::* cpe:2.3:a:qemu:qemu:0.11.0-rc2:::::::* cpe:2.3:a:qemu:qemu:0.11.0-rc1:::::::* cpe:2.3:a:qemu:qemu:0.11.0-rc0:::::::* cpe:2.3:a:qemu:qemu:0.11.0:rc1:::::: cpe:2.3:a:qemu:qemu:0.11.0:rc0:::::: cpe:2.3:a:qemu:qemu:0.11.0:rc2:::::: cpe:2.3:a:qemu:qemu:0.11.0:-:::::: cpe:2.3:a:qemu:qemu:0.10.6:::::::* cpe:2.3:a:qemu:qemu:0.10.5:::::::* cpe:2.3:a:qemu:qemu:0.10.4:::::::* cpe:2.3:a:qemu:qemu:0.10.3:::::::* cpe:2.3:a:qemu:qemu:0.10.2:::::::* cpe:2.3:a:qemu:qemu:0.10.1:::::::* cpe:2.3:a:qemu:qemu:0.10.0:::::::* cpe:2.3:a:qemu:qemu:0.1.6:::::::* cpe:2.3:a:qemu:qemu:0.1.5:::::::* cpe:2.3:a:qemu:qemu:0.1.4:::::::* cpe:2.3:a:qemu:qemu:0.1.3:::::::* cpe:2.3:a:qemu:qemu:0.1.2:::::::* cpe:2.3:a:qemu:qemu:0.1.1:::::::* cpe:2.3:a:qemu:qemu:0.1.0:::::::* cpe:2.3:a:qemu:qemu:::::::: cpe:2.3:a:qemu:qemu::r1::::::* cpe:2.3:a:qemu:qemu:-:::::::*	123
Os	Canonical Ubuntu Linux cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts::: cpe:2.3:o:canonical:ubuntu_linux:13.10:::::::* cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::* cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:::::* cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:::::*	5
Os	Redhat Enterprise Linux cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*	1
Os	Suse Linux Enterprise Server cpe:2.3:o:suse:linux_enterprise_server:11.0:sp1::::::	1

Nessus® Vulnerability Scanner

Date	Description
2016-08-29	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2016-1745-1.nasl - Type : ACT_GATHER_INFO
2016-06-17	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2016-1445-1.nasl - Type : ACT_GATHER_INFO
2016-05-19	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2016-1318-1.nasl - Type : ACT_GATHER_INFO
2016-04-27	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2016-1154-1.nasl - Type : ACT_GATHER_INFO
2016-04-13	Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-439.nasl - Type : ACT_GATHER_INFO
2016-04-07	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2016-0955-1.nasl - Type : ACT_GATHER_INFO
2016-04-01	Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-413.nasl - Type : ACT_GATHER_INFO
2016-03-25	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2016-0873-1.nasl - Type : ACT_GATHER_INFO
2016-03-07	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2016-0658-1.nasl - Type : ACT_GATHER_INFO
2015-11-13	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-1952-1.nasl - Type : ACT_GATHER_INFO
2015-11-05	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-1894-1.nasl - Type : ACT_GATHER_INFO
2015-11-05	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-1908-1.nasl - Type : ACT_GATHER_INFO
2015-11-03	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-1853-1.nasl - Type : ACT_GATHER_INFO
2015-05-27	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0929-1.nasl - Type : ACT_GATHER_INFO
2015-03-19	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-061.nasl - Type : ACT_GATHER_INFO
2014-12-15	Name : The remote Fedora host is missing a security update. File : fedora_2014-15951.nasl - Type : ACT_GATHER_INFO
2014-12-02	Name : The remote Fedora host is missing a security update. File : fedora_2014-15521.nasl - Type : ACT_GATHER_INFO
2014-12-02	Name : The remote Fedora host is missing a security update. File : fedora_2014-15503.nasl - Type : ACT_GATHER_INFO
2014-11-23	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-220.nasl - Type : ACT_GATHER_INFO
2014-11-08	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2014-1168.nasl - Type : ACT_GATHER_INFO
2014-11-08	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1076.nasl - Type : ACT_GATHER_INFO
2014-11-08	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0744.nasl - Type : ACT_GATHER_INFO
2014-11-08	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2014-0674.nasl - Type : ACT_GATHER_INFO
2014-11-08	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0421.nasl - Type : ACT_GATHER_INFO
2014-10-06	Name : The remote Debian host is missing a security-related update. File : debian_DSA-3045.nasl - Type : ACT_GATHER_INFO
2014-10-06	Name : The remote Debian host is missing a security-related update. File : debian_DSA-3044.nasl - Type : ACT_GATHER_INFO
2014-09-09	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2342-1.nasl - Type : ACT_GATHER_INFO
2014-08-30	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201408-17.nasl - Type : ACT_GATHER_INFO
2014-08-21	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-1075.nasl - Type : ACT_GATHER_INFO
2014-08-20	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1075.nasl - Type : ACT_GATHER_INFO
2014-08-20	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-1075.nasl - Type : ACT_GATHER_INFO
2014-07-30	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0927.nasl - Type : ACT_GATHER_INFO
2014-07-30	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0704.nasl - Type : ACT_GATHER_INFO
2014-07-26	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0927.nasl - Type : ACT_GATHER_INFO
2014-07-24	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0927.nasl - Type : ACT_GATHER_INFO
2014-06-19	Name : The remote SuSE 11 host is missing a security update. File : suse_11_kvm-140528.nasl - Type : ACT_GATHER_INFO
2014-06-12	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0743.nasl - Type : ACT_GATHER_INFO
2014-06-11	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0743.nasl - Type : ACT_GATHER_INFO
2014-05-20	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2933.nasl - Type : ACT_GATHER_INFO
2014-05-20	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2932.nasl - Type : ACT_GATHER_INFO
2014-05-09	Name : The remote SuSE 11 host is missing a security update. File : suse_11_kvm-140416.nasl - Type : ACT_GATHER_INFO
2014-05-02	Name : The remote Fedora host is missing a security update. File : fedora_2014-5825.nasl - Type : ACT_GATHER_INFO
2014-04-29	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2182-1.nasl - Type : ACT_GATHER_INFO
2014-04-23	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140422_qemu_kvm_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2014-04-23	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0420.nasl - Type : ACT_GATHER_INFO
2014-04-23	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0420.nasl - Type : ACT_GATHER_INFO
2014-04-23	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0420.nasl - Type : ACT_GATHER_INFO
2014-04-21	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2909.nasl - Type : ACT_GATHER_INFO
2014-04-21	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2910.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2017-11-04 09:25:47	Multiple Updates
2014-11-05 21:28:57	Multiple Updates
2014-11-05 05:33:37	Multiple Updates
2014-08-31 13:25:15	Multiple Updates
2014-08-30 05:23:31	First insertion

Global Informations

Type	Count
CWE ID(s)	10
Oval ID(s)	17
CPE ID(s)	130
Nessus® Exploit(s)	49

	Related
7.8	CVE-2014-0145
7.5	CVE-2014-0222
7.2	CVE-2014-2894
7	CVE-2014-0143
6.8	CVE-2014-3461
5.5	CVE-2014-0146
5.5	CVE-2014-0142
4.9	CVE-2014-0150
4.9	CVE-2013-4544
4.6	CVE-2014-0223
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 10 more Alert(s)

7.5 - GLSA-201408-17

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU