qemu-kvm - security update

Multiple vulnerabilities have been discovered in qemu-kvm, a full
virtualization solution on x86 hardware. The Common Vulnerabilities and
Exposures project identifies the following problems:

• CVE-2015-5239
  Lian Yihan discovered that QEMU incorrectly handled certain payload
  messages in the VNC display driver. A malicious guest could use this
  issue to cause the QEMU process to hang, resulting in a denial of
  service.
• CVE-2016-2857
  Ling Liu discovered that QEMU incorrectly handled IP checksum
  routines. An attacker inside the guest could use this issue to cause
  QEMU to crash, resulting in a denial of service, or possibly leak
  host memory bytes.
• CVE-2016-4020
  Donghai Zdh discovered that QEMU incorrectly handled the Task
  Priority Register(TPR). A privileged attacker inside the guest could
  use this issue to possibly leak host memory bytes.
• CVE-2016-4439 /
  CVE-2016-6351
  Li Qiang disovered that the emulation of the 53C9X Fast SCSI
  Controller is affected by out of bound access issues.
• CVE-2016-5403
  Zhenhao Hong discovered that a malicious guest administrator can
  cause unbounded memory allocation in QEMU (which can cause an
  Out-of-Memory condition) by submitting virtio requests without
  bothering to wait for completion.

For Debian 7 Wheezy, these problems have been fixed in version
1.1.2+dfsg-6+deb7u14.

We recommend that you upgrade your qemu-kvm packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: <https://wiki.debian.org/LTS&gt;