[arch-security] QEMU venom vulnerability
To All, After the disclosure of the venom vulnerability in QEMU today; I'm wondering if the Arch version of qemu is vulnerable. The disclosure indicated that distros have been notified since 4/30/2015. Regards, Mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, pacman -Qii qemu shows me that the package has been built Mo 13 Apr 2015 23:27:05 CEST. As such, it is vulnerable. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 14.05.2015 um 00:13 schrieb Mark Lee:
To All,
After the disclosure of the venom vulnerability in QEMU today; I'm wondering if the Arch version of qemu is vulnerable. The disclosure indicated that distros have been notified since 4/30/2015.
Regards, Mark
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVU81xAAoJEDg5KY9j7GZYrxcQAJ0C13nzhr3lp1gBGPkRCwvg rmFfmKPDPdkOV5JH7NZmkHwUmkGHdORlbU/4mNM3XxXWlQ8KJqAh9QACITuCxcUQ KMmT2ltL8SKF3AYqKJ3JoWhKdbdugXJbhff+KNvG6kGV0EpEBf1ZU6b4Rjb+AzQJ yg1fGfQFRrdh+V+Y/h0UG3ERs+5SFYhhNKsv/J8R8sz+pktFUBqBqciiljiqGD1r 8XOPFiie5o8nzMFtsShxeeXw1b/7DnHWg6GpxwKuT64zmaBEU9rEB5qRBxtocxK4 9l4bpMA/FgAXrtON9jRGwVnOt8L8AHveEIlmOVMC03Hx7i5cFeRj7cyJtApcn1UW 2utUeye/v148VGI0Sck+lvkxNLnkU+ITAE4u7bXfEYy8p2LwdCcbSzfng5ayXR7K k1vlQkCE26I6Wn2Zatu9wIyw9srI+Rf4sXbtF+Ju/GHZ50N7yemYKlp7dYz5eO/t y9GpcGfHnnqK1vo08uIkAoSrkzcyHeaNjx1ITJ5hBTssj6GxF6neeP3s3zCD7r3+ /rL6jjkWMQZZeoiOltlTK+kwpj4ln3N36PQkCYeDbRAO+QIkaHw7DYcMjvb0PR+a UYAS50roTR//iJ5eTcTNzPN+IGg5emET93i9092Xn8OSkFMKO1DPsZl8iTt9inNM SJrYdOU9jojuBseYXZWK =bkol -----END PGP SIGNATURE-----
On Thursday, May 14, 2015 12:17:23 AM Noel Kuntze wrote:
Hello,
pacman -Qii qemu shows me that the package has been built Mo 13 Apr 2015 23:27:05 CEST. As such, it is vulnerable.
I was wondering if the package in testing is also vulnerable. In other words...do we have a package that's not vulnerable to venom fro qemu? Regards, Mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 No. https://www.archlinux.org/packages/?sort=&q=qemu&maintainer=&flagged= All packets are from before 2015-04-30. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 14.05.2015 um 03:21 schrieb Mark Lee:
On Thursday, May 14, 2015 12:17:23 AM Noel Kuntze wrote:
Hello,
pacman -Qii qemu shows me that the package has been built Mo 13 Apr 2015 23:27:05 CEST. As such, it is vulnerable.
I was wondering if the package in testing is also vulnerable. In other words...do we have a package that's not vulnerable to venom fro qemu?
Regards, Mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 No. https://www.archlinux.org/packages/?sort=&q=qemu&maintainer=&flagged= All packages are from before 2015-04-30. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 14.05.2015 um 03:21 schrieb Mark Lee:
On Thursday, May 14, 2015 12:17:23 AM Noel Kuntze wrote:
Hello,
pacman -Qii qemu shows me that the package has been built Mo 13 Apr 2015 23:27:05 CEST. As such, it is vulnerable.
I was wondering if the package in testing is also vulnerable. In other words...do we have a package that's not vulnerable to venom fro qemu?
Regards, Mark
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVU/kUAAoJEDg5KY9j7GZYQq0P/RReIFKeVqrWYzE6SNrYbFev y4Hb4wmXAp5LLd4CVfv4F8Y1ToMYpE4bb9TJNhufIKcX51EHR6oopn6ydQJbJI1z nJ6OO/ItZkWoLOVLhVHM/qzpN58dglihJpid9FSlSRmxwL8bvej98mxN6ZH+yseF 18WU9GKQY3oStiedaSnBYxHznr4NWNxvR3AAhxLw4/k9TgSxMLmwqu2fw3VvGMVV LPQ5w6ZVJPuhosR27/VzQ+rh4OryjI36x3PgmdBkTr6wjHWYKIaJgOPs0yLdCYKY ejfydT/e8+/NccVHQGFFyBVfQIdZJFZIuL3WXzYxvLtH5G1HpPE/jf5UErhEa2TO EGG/7ZqSrz8YRmt3COmP9TgsyWSwKFFlEJo+hfRgkrREgWjemxaoQ74ggq5khrur TBY4evmoZmqjJaZ+f5aSAZx5Qawl0ccrCJ7eopf7jeiTsXJJrrxLnsE6KV8cPEiu F9IT+4P5LUM1NuNU5NtvAbdOzMX4tGaIgsuJthVmbTcbby+rM9WUrdwHcIw/isis 6gyshyHeaUhsNNywdpT2eiN+PCX43LpqDiIHKRMZ9EeUEugZrH0bstbzn03kpB5y o5K7zph8zrhODDEGqcL8qYZOsZv227B4mpt3deecOO+5eC8mHiNSXMfKr0UCC1sc 8Vn2mvB026bQJti4qxCX =xuny -----END PGP SIGNATURE-----
On 14.05.2015 03:21, Mark Lee wrote:
I was wondering if the package in testing is also vulnerable. In other words...do we have a package that's not vulnerable to venom fro qemu?
We have them now. 2.3.0-2 in [testing] 2.2.1-5 in [extra]
participants (3)
-
Florian Pritz
-
Mark Lee
-
Noel Kuntze