SUSE-SU-2025:20036-1: important: Security update for qemu

SLE-SECURITY-UPDATES null at suse.de
Wed Jun 4 09:16:13 UTC 2025 


# Security update for qemu

Announcement ID: SUSE-SU-2025:20036-1  
Release Date: 2025-02-03T08:53:01Z  
Rating: important  
References:

  * bsc#1221812
  * bsc#1227322
  * bsc#1229007

  
Cross-References:

  * CVE-2024-4467
  * CVE-2024-7409

  
CVSS scores:

  * CVE-2024-4467 ( SUSE ):  7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2024-4467 ( NVD ):  7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2024-7409 ( SUSE ):  8.2
    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2024-7409 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2024-7409 ( NVD ):  7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

  
Affected Products:

  * SUSE Linux Micro 6.0

  
  
An update that solves two vulnerabilities and has one fix can now be installed.

## Description:

This update for qemu fixes the following issues:

  * Fix bsc#1221812:
  * block: Reschedule query-block during qcow2 invalidation (bsc#1221812)

  * Fix bsc#1229007, CVE-2024-7409:

  * nbd/server: CVE-2024-7409: Close stray clients at server-stop (bsc#1229007)
  * nbd/server: CVE-2024-7409: Drop non-negotiating clients (bsc#1229007)
  * nbd/server: CVE-2024-7409: Cap default max-connections to 100 (bsc#1229007)
  * nbd/server: Plumb in new args to nbd_client_add() (bsc#1229007,
    CVE-2024-7409)
  * nbd: Minor style and typo fixes (bsc#1229007, CVE-2024-7409)

  * Update to version 8.2.6:

Full backport lists (from the various releases) here:
https://lore.kernel.org/qemu-
devel/1721203806.547734.831464.nullmailer at tls.msk.ru/

Some of the upstream backports are: hw/nvme: fix number of PIDs for FDP RUH
update sphinx/qapidoc: Fix to generate doc for explicit, unboxed arguments char-
stdio: Restore blocking mode of stdout on exit virtio: remove virtio_tswap16s()
call in vring_packed_event_read() virtio-pci: Fix the failure process in
kvm_virtio_pci_vector_use_one() block: Parse filenames only when explicitly
requested iotests/270: Don't store data-file with json: prefix in image
iotests/244: Don't store data-file with protocol in image qcow2: Don't open
data_file with BDRV_O_NO_IO (bsc#1227322, CVE-2024-4467) target/arm: Fix FJCVTZS
vs flush-to-zero target/arm: Fix VCMLA Dd, Dn, Dm[idx] i386/cpu: fixup number of
addressable IDs for processor cores in the physical package tests: Update our CI
to use CentOS Stream 9 instead of 8 migration: Fix file migration with fdset
tcg/loongarch64: Fix tcg_out_movi vs some pcrel pointers target/sparc: use
signed denominator in sdiv helper linux-user: Make TARGET_NR_setgroups affect
only the current thread accel/tcg: Fix typo causing tb->page_addr[1] to not be
recorded stdvga: fix screen blanking hw/audio/virtio-snd: Always use little
endian audio format ui/gtk: Draw guest frame at refresh cycle virtio-net: drop
too short packets early target/i386: fix size of EBP writeback in gen_enter()

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.0  
    zypper in -t patch SUSE-SLE-Micro-6.0-60=1

## Package List:

  * SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
    * qemu-ui-opengl-8.2.6-1.1
    * qemu-block-iscsi-debuginfo-8.2.6-1.1
    * qemu-pr-helper-8.2.6-1.1
    * qemu-audio-spice-8.2.6-1.1
    * qemu-8.2.6-1.1
    * qemu-block-ssh-debuginfo-8.2.6-1.1
    * qemu-tools-debuginfo-8.2.6-1.1
    * qemu-hw-display-virtio-gpu-pci-debuginfo-8.2.6-1.1
    * qemu-ui-opengl-debuginfo-8.2.6-1.1
    * qemu-hw-display-virtio-vga-8.2.6-1.1
    * qemu-pr-helper-debuginfo-8.2.6-1.1
    * qemu-block-curl-debuginfo-8.2.6-1.1
    * qemu-block-rbd-8.2.6-1.1
    * qemu-block-rbd-debuginfo-8.2.6-1.1
    * qemu-img-debuginfo-8.2.6-1.1
    * qemu-ksm-8.2.6-1.1
    * qemu-ui-spice-core-debuginfo-8.2.6-1.1
    * qemu-block-iscsi-8.2.6-1.1
    * qemu-tools-8.2.6-1.1
    * qemu-img-8.2.6-1.1
    * qemu-block-curl-8.2.6-1.1
    * qemu-hw-usb-host-debuginfo-8.2.6-1.1
    * qemu-hw-display-qxl-debuginfo-8.2.6-1.1
    * qemu-lang-8.2.6-1.1
    * qemu-hw-display-virtio-vga-debuginfo-8.2.6-1.1
    * qemu-ui-spice-core-8.2.6-1.1
    * qemu-block-ssh-8.2.6-1.1
    * qemu-hw-usb-redirect-debuginfo-8.2.6-1.1
    * qemu-guest-agent-8.2.6-1.1
    * qemu-hw-display-qxl-8.2.6-1.1
    * qemu-hw-display-virtio-gpu-pci-8.2.6-1.1
    * qemu-hw-display-virtio-gpu-8.2.6-1.1
    * qemu-debugsource-8.2.6-1.1
    * qemu-guest-agent-debuginfo-8.2.6-1.1
    * qemu-chardev-spice-8.2.6-1.1
    * qemu-hw-usb-host-8.2.6-1.1
    * qemu-chardev-spice-debuginfo-8.2.6-1.1
    * qemu-audio-spice-debuginfo-8.2.6-1.1
    * qemu-hw-usb-redirect-8.2.6-1.1
    * qemu-hw-display-virtio-gpu-debuginfo-8.2.6-1.1
    * qemu-debuginfo-8.2.6-1.1
  * SUSE Linux Micro 6.0 (x86_64)
    * qemu-accel-tcg-x86-8.2.6-1.1
    * qemu-x86-debuginfo-8.2.6-1.1
    * qemu-accel-tcg-x86-debuginfo-8.2.6-1.1
    * qemu-x86-8.2.6-1.1
  * SUSE Linux Micro 6.0 (noarch)
    * qemu-vgabios-8.2.61.16.3_3_ga95067eb-1.1
    * qemu-seabios-8.2.61.16.3_3_ga95067eb-1.1
    * qemu-ipxe-8.2.6-1.1
  * SUSE Linux Micro 6.0 (s390x)
    * qemu-s390x-8.2.6-1.1
    * qemu-s390x-debuginfo-8.2.6-1.1
  * SUSE Linux Micro 6.0 (aarch64)
    * qemu-arm-debuginfo-8.2.6-1.1
    * qemu-arm-8.2.6-1.1

## References:

  * https://www.suse.com/security/cve/CVE-2024-4467.html
  * https://www.suse.com/security/cve/CVE-2024-7409.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1221812
  * https://bugzilla.suse.com/show_bug.cgi?id=1227322
  * https://bugzilla.suse.com/show_bug.cgi?id=1229007

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20250604/5fad5d95/attachment.htm>

More information about the sle-security-updates mailing list