SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:2416-1)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

This update for qemu fixes the following issues: Security issues
fixed :

- CVE-2017-10664: Fix DOS vulnerability in qemu-nbd
(bsc#1046636)

- CVE-2017-10806: Fix DOS from stack overflow in debug
messages of usb redirection support (bsc#1047674)

- CVE-2017-11334: Fix OOB access during DMA operation
(bsc#1048902)

- CVE-2017-11434: Fix OOB access parsing dhcp slirp
options (bsc#1049381) Following non-security issues were
fixed :

- Postrequire acl for setfacl

- Prerequire shadow for groupadd

- The recent security fix for CVE-2017-11334 adversely
affects Xen. Include two additional patches to make sure
Xen is going to be OK.

- Pre-add group kvm for qemu-tools (bsc#1011144)

- Fixed a few more inaccuracies in the support docs.

- Fix support docs to indicate ARM64 is now fully L3
supported in SLES 12 SP3. Apply a few additional
clarifications in the support docs. (bsc#1050268)

- Adjust to libvdeplug-devel package naming changes.

- Fix migration with xhci (bsc#1048296)

- Increase VNC delay to fix missing keyboard input events
(bsc#1031692)

- Remove build dependency package iasl used for seabios

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/1011144
https://bugzilla.suse.com/1031692
https://bugzilla.suse.com/1046636
https://bugzilla.suse.com/1047674
https://bugzilla.suse.com/1048296
https://bugzilla.suse.com/1048902
https://bugzilla.suse.com/1049381
https://bugzilla.suse.com/1050268
https://www.suse.com/security/cve/CVE-2017-10664.html
https://www.suse.com/security/cve/CVE-2017-10806.html
https://www.suse.com/security/cve/CVE-2017-11334.html
https://www.suse.com/security/cve/CVE-2017-11434.html
http://www.nessus.org/u?31122e77

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 12-SP3:zypper in -t patch
SUSE-SLE-SERVER-12-SP3-2017-1490=1

SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch
SUSE-SLE-DESKTOP-12-SP3-2017-1490=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 4.1
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: SuSE Local Security Checks

Nessus Plugin ID: 103120 ()

Bugtraq ID:

CVE ID: CVE-2017-10664
CVE-2017-10806
CVE-2017-11334
CVE-2017-11434

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now