The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them. |
|
 |
|
|
Synthesis of the vulnerability 
An attacker can force a read at an invalid address via snprintf() of QEMU, in order to trigger a denial of service, or to obtain sensitive information.
Impacted software: Debian, Junos Space, openSUSE Leap, QEMU, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this computer vulnerability: 2/4.
Creation date: 06/02/2020.
Références of this announce: CVE-2020-8608, DLA-2142-1, DLA-2144-1, DLA-2288-1, DLA-2551-1, DSA-4733-1, JSA11110, openSUSE-SU-2020:0468-1, RHSA-2020:0889-01, RHSA-2020:1208-01, RHSA-2020:1209-01, RHSA-2020:1351-01, RHSA-2020:1352-01, RHSA-2020:1379-01, RHSA-2020:1403-01, RHSA-2020:2773-01, RHSA-2020:2774-01, RHSA-2020:2844-01, RHSA-2020:3040-01, SUSE-SU-2020:14444-1, SUSE-SU-2020:14448-1, SUSE-SU-2020:2141-1, SUSE-SU-2020:2171-1, SUSE-SU-2020:2234-1, SUSE-SU-2020:3880-1, USN-4283-1, USN-4632-1, VIGILANCE-VUL-31540.
Description of the vulnerability 
An attacker can force a read at an invalid address via snprintf() of QEMU, in order to trigger a denial of service, or to obtain sensitive information. Full bulletin, software filtering, emails, fixes, ... (Request your free trial)
This security bulletin impacts software or systems such as Debian, Junos Space, openSUSE Leap, QEMU, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Our Vigil@nce team determined that the severity of this cybersecurity announce is medium.
The trust level is of type confirmed by the editor, with an origin of user shell.
An attacker with a expert ability can exploit this vulnerability alert.
Solutions for this threat 
QEMU: patch for snprintf.
A patch is available:
https://gitlab.freedesktop.org/slirp/libslirp/commit/68ccb8021a838066f0951d4b2817eb6b6f10a843
https://gitlab.freedesktop.org/slirp/libslirp/commit/68ccb8021a838066f0951d4b2817eb6b6f10a843
https://gitlab.freedesktop.org/slirp/libslirp/commit/30648c03b27fb8d9611b723184216cd3174b6775
Debian 10: new qemu packages.
New packages are available:
Debian 10: qemu 1:3.1+dfsg-8+deb10u7
Debian 8: new qemu packages.
New packages are available:
Debian 8: qemu 1:2.1+dfsg-12+deb8u14
Debian 8: new slirp packages.
New packages are available:
Debian 8: slirp 1:1.0.17-7+deb8u2
Debian 9: new qemu packages.
New packages are available:
Debian 9: qemu 1:2.8+dfsg-6+deb9u10
Debian 9: new slirp packages.
New packages are available:
Debian 9: slirp 1:1.0.17-8+deb9u1
Juniper Junos Space: version 20.3R1.
The version 20.3R1 is fixed:
https://www.juniper.net/support/downloads/
openSUSE Leap 15.1: new qemu packages.
New packages are available:
openSUSE Leap 15.1: qemu 3.1.1.1-lp151.7.12.1
RHEL 6.10: new qemu-kvm packages.
New packages are available:
RHEL 6.10: qemu-kvm 0.12.1.2-2.506.el6_10.7
RHEL 7.6: new qemu-kvm packages.
New packages are available:
RHEL 7.6: qemu-kvm 1.5.3-160.el7_6.7
RHEL 7.7: new qemu-kvm-ma packages.
New packages are available:
RHEL 7.7: qemu-kvm-ma 2.12.0-33.el7_7.3
RHEL 7.7: new qemu-kvm packages.
New packages are available:
RHEL 7.7: qemu-kvm 1.5.3-167.el7_7.6
RHEL 7.8: new qemu-kvm-ma packages.
New packages are available:
RHEL 7.8: qemu-kvm-ma 2.12.0-44.el7_8.1
RHEL 7.8: new qemu-kvm packages.
New packages are available:
RHEL 7.8: qemu-kvm 1.5.3-173.el7_8.1
RHEL 7: new slirp4netns packages.
New packages are available:
RHEL 7.7: slirp4netns 0.3.0-8.el7_7
RHEL 8.0: new virt-rhel module (21/07/2020).
The following module is updated:
RHEL 8.0 Module: virt:rhel
RHEL 8.0: new virt-rhel module (30/06/2020).
The following module is updated:
RHEL 8.0 Module: virt:rhel
RHEL 8.1: new container-tools-rhel8 module.
The following module is updated:
RHEL 8.1 Module: container-tools:rhel8
RHEL 8.1: new virt-rhel module.
The following module is updated:
RHEL 8.1 Module: virt:rhel
SUSE LE 11 SP3: new xen packages.
New packages are available:
SUSE LE 11 SP3: xen 4.2.5_22-45.36.1
SUSE LE 12 SP2: new xen packages.
New packages are available:
SUSE LE 12 SP2: xen 4.7.6_08-43.64.1
SUSE LE 12 SP3: new xen packages.
New packages are available:
SUSE LE 12 SP3: xen 4.9.4_10-3.71.1
SUSE LE 12 SP4: new xen packages (05/08/2020).
New packages are available:
SUSE LE 11 SP4: xen 4.4.4_42-61.52.1
SUSE LE 12 SP4: new xen packages (06/08/2020).
New packages are available:
SUSE LE 12 SP4: xen 4.11.4_06-2.33.1
SUSE LE 12 SP5: new xen packages.
New packages are available:
SUSE LE 12 SP5: xen 4.12.4_06-3.36.1
Ubuntu: new qemu packages.
New packages are available:
Ubuntu 19.10: qemu 1:4.0+dfsg-0ubuntu9.4
Ubuntu 18.04 LTS: qemu 1:2.11+dfsg-1ubuntu7.23
Ubuntu 16.04 LTS: qemu 1:2.5+dfsg-5ubuntu10.43
Ubuntu: new slirp packages.
New packages are available:
Ubuntu 18.04 LTS: slirp 1:1.0.17-8ubuntu18.04.1
Ubuntu 16.04 LTS: slirp 1:1.0.17-8ubuntu16.04.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)
Computer vulnerabilities tracking service 
Vigil@nce provides a computer vulnerability workaround. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.
|