Lucene search

K
suse
SuseOPENSUSE-SU-2021:1942-1
HistoryJul 11, 2021 - 12:00 a.m.

Security update for qemu (important)

2021-07-1100:00:00
lists.opensuse.org
29

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

An update that solves 14 vulnerabilities and has three
fixes is now available.

Description:

This update for qemu fixes the following issues:

  • Switch method of splitting off hw-s390x-virtio-gpu-ccw.so as a module to
    what was accepted upstream (bsc#1181103)
  • Fix OOB access in sdhci interface (CVE-2020-17380, bsc#1175144,
    CVE-2020-25085, bsc#1176681, CVE-2021-3409, bsc#1182282)
  • Fix potential privilege escalation in virtiofsd tool (CVE-2021-20263,
    bsc#1183373)
  • Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416,
    bsc#1182968)
  • Fix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686)
  • Fix package scripts to not use hard coded paths for temporary working
    directories and log files (bsc#1182425)
  • QEMU BIOS fails to read stage2 loader on s390x (bsc#1186290)
  • For the record, these issues are fixed in this package already. Most are
    alternate references to previously mentioned issues: (CVE-2019-15890,
    bsc#1149813, CVE-2020-8608, bsc#1163019, CVE-2020-14364, bsc#1175534,
    CVE-2020-25707, bsc#1178683, CVE-2020-25723, bsc#1178935,
    CVE-2020-29130, bsc#1179477, CVE-2020-29129, bsc#1179484, CVE-2021-3419,
    bsc#1182975)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or β€œzypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.3:

    zypper in -t patch openSUSE-SLE-15.3-2021-1942=1

OSVersionArchitecturePackageVersionFilename
openSUSE Leap15.3aarch64< - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.aarch64.rpm
openSUSE Leap15.3ppc64le< - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.ppc64le.rpm
openSUSE Leap15.3s390x< - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.s390x.rpm
openSUSE Leap15.3x86_64< - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.x86_64.rpm
openSUSE Leap15.3s390x< - openSUSE Leap 15.3 (s390x x86_64):- openSUSE Leap 15.3 (s390x x86_64):.s390x.rpm
openSUSE Leap15.3x86_64< - openSUSE Leap 15.3 (s390x x86_64):- openSUSE Leap 15.3 (s390x x86_64):.x86_64.rpm
openSUSE Leap15.3noarch< - openSUSE Leap 15.3 (noarch):- openSUSE Leap 15.3 (noarch):.noarch.rpm
Use Vulners API to create your own security tool

API usage cases
  • Network scanning
  • Linux Patch management
  • Threat protection
  • No network audit solution

Ways of integration

Integrate Vulners API

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

Related for OPENSUSE-SU-2021:1942-1