Hi Debian Security folks-- On 03/10/2010 01:18 PM, dann frazier wrote: > ------------------------------------------------------------------------ > Debian Security Advisory DSA-2010 security@debian.org > http://www.debian.org/security/ Dann Frazier > March 10, 2010 http://www.debian.org/security/faq > ------------------------------------------------------------------------ > > Package : kvm > Vulnerability : privilege escalation/denial of service > Problem type : local > Debian-specific: no > CVE Id(s) : CVE-2010-0298 CVE-2010-0306 CVE-2010-0309 CVE-2010-0419 > > Several local vulnerabilities have been discovered in kvm, a full > virtualization system. The Common Vulnerabilities and Exposures project > identifies the following problems: > > CVE-2010-0298 & CVE-2010-0306 > > Gleb Natapov discovered issues in the KVM subsystem where missing > permission checks (CPL/IOPL) permit a user in a guest system to > denial of service a guest (system crash) or gain escalated > privileges with the guest. > > CVE-2010-0309 > > Marcelo Tosatti fixed an issue in the PIT emulation code in the > KVM subsystem that allows privileged users in a guest domain to > cause a denial of service (crash) of the host system. > > CVE-2010-0419 > > Paolo Bonzini found a bug in KVM that can be used to bypass proper > permission checking while loading segment selectors. This > potentially allows privileged guest users to execute privileged > instructions on the host system. > > For the stable distribution (lenny), this problem has been fixed in > version 72+dfsg-5~lenny5. > > For the testing distribution (squeeze), and the unstable distribution (sid), > these problems will be addressed within the linux-2.6 package. > > We recommend that you upgrade your kvm package. > > Upgrade instructions > -------------------- > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. It's not clear to me from the instructions above whether users should re-build their kvm modules package as well as installing the revised versions. Is the vulnerability fully-resolved by simply upgrading the kvm package? (i really don't know, and figure y'all are the right folks to ask). I note that there are kvm modules shipped with the default stable kernel. If more steps are needed, maybe we need additional DSA boilerplate for these kind of announcements in the future. Thanks for all the work you do to keep debian in good shape. it's very much appreciated! --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature