[BSA-039] Security Update for qemu-kvm
-----BEGIN PGP SIGNED MESSAGE-----
Michael Tokarev uploaded new packages for qemu-kvm
which fixed the following security issues:
Setting the VNC password to an empty string silently disabled
The virtio-blk driver performed insufficient validation of
read/write I/O from the guest instance, which could lead to
denial of service or privilege escalation.
Incorrect memory handling during the removal of ISA devices in KVM
could lead to denial of service of the execution of arbitrary code.
incorrect sanitising of virtio queue commands in KVM could
lead to denial of service of the execution of arbitrary code.
The subpage MMIO initialization functionality in the subpage_register
function in exec.c in KVM does not properly select the index for
access to the callback array, which allows guest OS users to cause
a denial of service (guest OS crash) or possibly gain privileges via
For the lenny-backports distribution the problem has been fixed
in version 0.12.5+dfsg-5+squeeze4~bpo50+1.
If you don't use pinning (see ) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
We recommend to pin (in /etc/apt/preferences) the backports repository to
200 so that new versions of installed backports will be installed
Pin: release a=lenny-backports
We recommend that you upgrade your qemu-kvm packages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----