[Secure-testing-team] Bug#880836: qemu: CVE-2017-15268: I/O: potential memory exhaustion via websock connection to VNC

Salvatore Bonaccorso carnil at debian.org
Sat Nov 4 23:17:12 UTC 2017


Source: qemu
Version: 1:2.10.0+dfsg-2
Severity: important
Tags: patch security upstream
Control: found -1 1:2.8+dfsg-6

Hi,

the following vulnerability was published for qemu.

CVE-2017-15268[0]:
| Qemu through 2.10.0 allows remote attackers to cause a memory leak by
| triggering slow data-channel read operations, related to
| io/channel-websock.c.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-15268
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15268
[1] https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=a7b20a8efa28e5f22c26c06cd06c2f12bc863493

Regards,
Salvatore



More information about the Secure-testing-team mailing list