SUSE-SU-2014:1278-1: moderate: Security update for kvm
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Wed Oct 8 16:04:41 MDT 2014
SUSE Security Update: Security update for kvm
______________________________________________________________________________
Announcement ID: SUSE-SU-2014:1278-1
Rating: moderate
References: #876842 #877642 #877645 #878541 #886535
Cross-References: CVE-2014-0222 CVE-2014-0223 CVE-2014-3461
Affected Products:
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Desktop 11 SP3
______________________________________________________________________________
An update that solves three vulnerabilities and has two
fixes is now available. It includes one version update.
Description:
kvm has been updated to fix issues in the embedded qemu:
*
CVE-2014-0223: An integer overflow flaw was found in the QEMU block
driver for QCOW version 1 disk images. A user able to alter the QEMU disk
image files loaded by a guest could have used this flaw to corrupt QEMU
process memory on the host, which could potentially have resulted in
arbitrary code execution on the host with the privileges
of the QEMU process.
*
CVE-2014-3461: A user able to alter the savevm data (either on the
disk or over the wire during migration) could have used this flaw to to
corrupt QEMU process memory on the (destination) host, which could have
potentially resulted in arbitrary code execution on the host with the
privileges of the QEMU process.
*
CVE-2014-0222: An integer overflow flaw was found in the QEMU block
driver for QCOW version 1 disk images. A user able to alter the QEMU disk
image files loaded by a guest could have used this flaw to corrupt QEMU
process memory on the host, which could have potentially resulted in
arbitrary code execution on the host with the privileges
of the QEMU process.
Non-security bugs fixed:
* Fix exceeding IRQ routes that could have caused freezes of guests.
(bnc#876842)
* Fix CPUID emulation bugs that may have broken Windows guests with
newer -cpu types (bnc#886535)
Security Issues:
* CVE-2014-0222
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0222>
* CVE-2014-0223
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0223>
* CVE-2014-3461
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3461>
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11 SP3:
zypper in -t patch slessp3-kvm-9739
- SUSE Linux Enterprise Desktop 11 SP3:
zypper in -t patch sledsp3-kvm-9739
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11 SP3 (i586 s390x x86_64) [New Version: 1.4.2]:
kvm-1.4.2-0.17.1
- SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.4.2]:
kvm-1.4.2-0.17.1
References:
http://support.novell.com/security/cve/CVE-2014-0222.html
http://support.novell.com/security/cve/CVE-2014-0223.html
http://support.novell.com/security/cve/CVE-2014-3461.html
https://bugzilla.suse.com/show_bug.cgi?id=876842
https://bugzilla.suse.com/show_bug.cgi?id=877642
https://bugzilla.suse.com/show_bug.cgi?id=877645
https://bugzilla.suse.com/show_bug.cgi?id=878541
https://bugzilla.suse.com/show_bug.cgi?id=886535
http://download.suse.com/patch/finder/?keywords=edfe5d595d3bf57ca949f09aec30ca76
More information about the sle-security-updates
mailing list