-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:210 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : qemu Date : April 27, 2015 Affected: Business Server 1.0, Business Server 2.0 _______________________________________________________________________ Problem Description: Updated qemu packages fix security vulnerabilities: A denial of service flaw was found in the way QEMU handled malformed Physical Region Descriptor Table (PRDT) data sent to the host's IDE and/or AHCI controller emulation. A privileged guest user could use this flaw to crash the system (rhbz#1204919). It was found that the QEMU's websocket frame decoder processed incoming frames without limiting resources used to process the header and the payload. An attacker able to access a guest's VNC console could use this flaw to trigger a denial of service on the host by exhausting all available memory and CPU (CVE-2015-1779). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1779 http://advisories.mageia.org/MGASA-2015-0149.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: bc2beef4372b8b5e6f304b43ea03932e mbs1/x86_64/qemu-1.6.2-1.3.mbs1.x86_64.rpm 66b90d7aa493a9d5a4f211348fc3f11e mbs1/x86_64/qemu-img-1.6.2-1.3.mbs1.x86_64.rpm 963f9b67a4f17912f78a2f836eff5779 mbs1/SRPMS/qemu-1.6.2-1.3.mbs1.src.rpm Mandriva Business Server 2/X86_64: 50ec69a06c81554133e2b6498f80aadd mbs2/x86_64/qemu-1.6.2-1.1.mbs2.x86_64.rpm 3614812ed41087f722183a335dcf1085 mbs2/x86_64/qemu-img-1.6.2-1.1.mbs2.x86_64.rpm 59781eb204137b664c40b646638259f9 mbs2/SRPMS/qemu-1.6.2-1.1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVPf9DmqjQ0CJFipgRAhTUAJ0YpEHATH84jxU6Eu/S1p6cxxlZ5QCggdwE 8O51hL6WbyTUwpWcAFXxssQ= =C7sG -----END PGP SIGNATURE-----