[pve-devel] CVE-2015-3456

Alexandre DERUMIER aderumier at odiso.com
Thu May 14 08:12:08 CEST 2015


Yes, any qemu version is vunerable,
even if we don't create floppy inside the guest.

we should patch this as soon as possible


----- Mail original -----
De: "Eric Blevins" <ericlb100 at gmail.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Mercredi 13 Mai 2015 18:44:08
Objet: [pve-devel] CVE-2015-3456

Is Proxmox vulnerable to CVE-2015-3456? 

https://securityblog.redhat.com/tag/cve-2015-3456/ 
>From the article: 
It can result in guest controlled execution of arbitrary code in, and 
with privileges of, the corresponding QEMU process on the host. Worst 
case scenario this can be guest to host exit with the root privileges. 


Can we expect Proxmox to stop running KVM processes as root in the near future? 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 



More information about the pve-devel mailing list