Page MenuHomeFreeBSD

emulators/qemu-devel: multiple vulnerabilities

Authored by feld on Sep 17 2015, 5:50 PM.




These CVEs have not been dealth with in the ports tree yet. I'm not sure
if non-devel qemu or static/sbruno/etc flavors are also vulnerable?
Maybe Xen stuff? Can someone lend a hand?


Diff Detail

rP FreeBSD ports repository
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

feld retitled this revision from to emulators/qemu-devel: multiple vulnerabilities.
feld updated this object.
feld edited the test plan for this revision. (Show Details)
feld added subscribers: sbruno, nox, junovitch.

Regarding emulators/qemu,
It may be vulnerable and we do have CVE-2015-5154, CVE-2015-5166, CVE-2015-5165 from a prior PR still valid against this. In Sean brought up getting guidance from Juergen on a way ahead.

Regarding emulators/qemu-sbruno and emulators/qemu-user-static,
They would be impacted and it looks like will need a fresh pull from upstream.

Regarding Xen,
I don't see any security advisory from them just yet at

The goalposts keep moving. Here's another one we need to patch

I suspect that this might be a deprecated review at this time. emulators/qemu now tracks the stable release of QEMU.

In D3691#76188, @feld wrote:

The goalposts keep moving. Here's another one we need to patch

This has been addressed in qemu-devel 2.5.0.

This revision was automatically updated to reflect the committed changes.