[pve-devel] Fwd: [Qemu-devel] [ANNOUNCE] QEMU 2.4.0.1 CVE update released

[Alexandre DERUMIER]

Seem that qemu will release CVE fixed releases :)

----- Mail transféré -----
De: "mdroth" <mdroth at linux.vnet.ibm.com>
À: "qemu-devel" <qemu-devel at nongnu.org>
Cc: "qemu-stable" <qemu-stable at nongnu.org>
Envoyé: Mercredi 23 Septembre 2015 01:36:23
Objet: [Qemu-devel] [ANNOUNCE] QEMU 2.4.0.1 CVE update released

Hi everyone, 

As part of recent planning around stable releases discussed during 
KVM Forum, I'm releasing the first of what will be regular (hopefully 
not *too* regular) CVE-only stable updates. These updates are 
intended to reduce the gap between vulnerability disclosures and 
patched/packaged releases. 

You can grab the latest release here: 

http://wiki.qemu.org/download/qemu-2.4.0.1.tar.bz2 

Please see the changelog for CVE numbers/details. Users are 
encouraged to update as soon as possible. 

v2.4.0.1 is now tagged in the official qemu.git repository, 
and the stable-2.4 branch has been updated accordingly: 

http://git.qemu.org/?p=qemu.git;a=shortlog;h=refs/heads/stable-2.4 

These CVE-only releases are produced as-needed and are on no set 
release schedule. 

Full stable releases are still tentatively planned to continue as they 
(mostly) have in the past: 1 mid-cycle stable update, and 1 stable update 
at the end of each release cycle, with freeze dates announced in advance 
to pull together important fixes. v2.4.1 is currently planned for 
2015-10-20: 

http://wiki.qemu.org/Planning/2.4 

Thank you to everyone involved! 

CHANGELOG: 

83c92b4: Update version for 2.4.0.1 release (Michael Roth) 
5a1ccdf: net: avoid infinite loop when receiving packets(CVE-2015-5278) (P J P) 
7aa2bca: net: add checks to validate ring buffer pointers(CVE-2015-5279) (P J P) 
3a56af1: e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815) (P J P) 
efec4dc: vnc: fix memory corruption (CVE-2015-5225) (Gerd Hoffmann)