- CVE-2015-5154 http://www.vuxml.org/freebsd/da451130-365d-11e5-a4a5-002590263bf5.html - Addressed upstream: https://github.com/qemu/qemu/commit/e40db4c6d391419c0039fe274c74df32a6ca1a28 - CVE-2015-5166 http://www.vuxml.org/freebsd/da451130-365d-11e5-a4a5-002590263bf5.html - Address upstream: https://github.com/qemu/qemu/commit/260425ab405ea76c44dd59744d05176d4f579a52 - CVE-2015-5165 http://www.vuxml.org/freebsd/f06f20dc-4347-11e5-93ad-002590263bf5.html - Addressed upstream: https://github.com/qemu/qemu/commit/2a3612ccc1fa9cea77bd193afbfe21c77e7e91ef
This work is related to QEMU issues that the Xen Project released security advisories for in bug 201931: Issue: http://xenbits.xen.org/xsa/advisory-138.html Fixed: https://svnweb.freebsd.org/changeset/ports/393514 Issue: http://xenbits.xen.org/xsa/advisory-139.html Issue: http://xenbits.xen.org/xsa/advisory-140.html Fixed: https://svnweb.freebsd.org/changeset/ports/394506
emulators/qemu-sbruno was updated to 2.4.0 at svn rev 394418 This pull includes all three referenced commits: https://github.com/seanbruno/qemu-bsd-user/tree/bsd-user
Created attachment 160003 [details] security/vuxml update for qemu Extend the QEMU related xen-tools CVEs to include the qemu-* ports
(In reply to Sean Bruno from comment #2) vuxml will document 2.4.50.g20150814 as being fixed and qemu and qemu-devel as being vulnerable.
Created attachment 160004 [details] security/vuxml update for qemu * revise to use URL reference to QEMU git and mention QEMU in topic * Extend the QEMU related xen-tools CVEs to include the qemu-* ports
A commit references this bug: Author: junovitch Date: Wed Aug 19 22:06:18 UTC 2015 New revision: 394816 URL: https://svnweb.freebsd.org/changeset/ports/394816 Log: Extend recent QEMU related xen-tools CVEs to include the qemu-* ports PR: 202402 Security: CVE-2015-5154 Security: CVE-2015-5165 Security: CVE-2015-5166 Security: da451130-365d-11e5-a4a5-002590263bf5 Security: f06f20dc-4347-11e5-93ad-002590263bf5 Security: ee99899d-4347-11e5-93ad-002590263bf5 Approved by: feld (mentor) Changes: head/security/vuxml/vuln.xml
I've fired off an update to emulators/qemu to bring the port up to 2.4.0 Is this suffificent?
Set merge-quarterly? Approved by ports-secteam for MFH of the following security updates (plus a build fix)? emulators/qemu-devel https://svnweb.FreeBSD.org/changeset/ports/395861 emulators/qemu-sbruno https://svnweb.FreeBSD.org/changeset/ports/394418 https://svnweb.FreeBSD.org/changeset/ports/395787 Note I've validated earlier commits on qemu-sbruno are superseded by r394418 and not needed for MFH.
(In reply to Sean Bruno from comment #7) Sean, with emulators/qemu-devel at 2.4.0 we are covered there but what should we do for the legacy emulators/qemu port? This is required because of the reason mentioned at https://wiki.FreeBSD.org/qemu, correct? "Note: If you want to use the KQEMU accelerator you need to use the old /usr/ports/emulators/qemu port instead and enable its KQEMU knob (otherwise qemu is much slower), this installs /usr/ports/emulators/kqemu-kmod-devel as a dependency and(!) builds kqemu support into the port. The qemu-devel port no longer supports kqemu (support was removed upstream.)"
Tag depends on bug 202864. r395861 for emulators/qemu-devel is not enough as it does not compile (patch failure) as is and still fails build after resolving it. (In reply to Jason Unovitch from comment #8) > emulators/qemu-devel > https://svnweb.FreeBSD.org/changeset/ports/395861 I retract the request for quarterly MFH until the build issues in bug 202864 can be resolved.
A commit references this bug: Author: sbruno Date: Thu Sep 3 17:39:42 UTC 2015 New revision: 396024 URL: https://svnweb.freebsd.org/changeset/ports/396024 Log: Build fixes for 2.4.0 - regenerate patch-pcap - Escape --extra-ldflags as it looks like the qemu builder is eating spaces or lines making it frustrating to use. PR: 202402 202536 202864 Changes: head/emulators/qemu-devel/Makefile head/emulators/qemu-devel/files/pcap-patch
Created attachment 160724 [details] emulators/qemu-sbruno 2015Q3 build with r394418 r395787 r396026 Build tested on: 9.3-RELEASE-p24 amd64 9.3-RELEASE-p24 i386 10.1-RELEASE-p19 amd64 10.1-RELEASE-p19 i386 10.2-RELEASE-p2 amd64 10.2-RELEASE-p2 i386 11.0-CURRENTr286886 amd64 11.0-CURRENTr286888 i386
Created attachment 160725 [details] emulators/qemu-devel 2015Q3 build with r395861 and r396024 Build tested on: 9.3-RELEASE-p24 amd64 9.3-RELEASE-p24 i386 10.1-RELEASE-p19 amd64 10.1-RELEASE-p19 i386 10.2-RELEASE-p2 amd64 10.2-RELEASE-p2 i386 11.0-CURRENTr286886 amd64 11.0-CURRENTr286888 i386
A commit references this bug: Author: junovitch Date: Fri Sep 4 17:24:38 UTC 2015 New revision: 396122 URL: https://svnweb.freebsd.org/changeset/ports/396122 Log: MFH: r395861 r396024 r394418 r395787 r396026 r395861 QEMU update to 2.4.0 - remove patch files accepted and merge upstream - Add new vgabios-virtio r396024 Build fixes for 2.4.0 - regenerate patch-pcap - Escape --extra-ldflags as it looks like the qemu builder is eating spaces or lines making it frustrating to use. PR: 202402 202536 202864 r394418 Update qemu-sbruno to track bsd-user branch on github. I *am* the upstream of this port and maintainer notified developers on 07/17/15 to update his ports while he is AFK. Sync's to pre-release 2.4.0 Differential Revision: https://reviews.freebsd.org/D3385 r395787 Build fix: - Remove etc/qemu/target-x86_64.conf.sample dropped by upstream - Add vgabios-virtio.bin r396026 Fix Makefile so that those who want to use this port directly can still build. PR: 202536 PR: 202402 Security: CVE-2015-5154 Security: CVE-2015-5165 Security: CVE-2015-5166 Security: da451130-365d-11e5-a4a5-002590263bf5 Security: f06f20dc-4347-11e5-93ad-002590263bf5 Security: ee99899d-4347-11e5-93ad-002590263bf5 Approved by: ports-secteam (feld), feld (mentor) Changes: _U branches/2015Q3/ branches/2015Q3/emulators/qemu-devel/Makefile branches/2015Q3/emulators/qemu-devel/distinfo branches/2015Q3/emulators/qemu-devel/files/patch-90_security branches/2015Q3/emulators/qemu-devel/files/patch-CVE-2015-3209 branches/2015Q3/emulators/qemu-devel/files/patch-CVE-2015-3456 branches/2015Q3/emulators/qemu-devel/files/patch-include-qemu-aes.h branches/2015Q3/emulators/qemu-devel/files/patch-tapclose branches/2015Q3/emulators/qemu-devel/files/pcap-patch branches/2015Q3/emulators/qemu-devel/pkg-plist branches/2015Q3/emulators/qemu-sbruno/Makefile branches/2015Q3/emulators/qemu-sbruno/distinfo branches/2015Q3/emulators/qemu-sbruno/files/patch-CVE-2015-3209 branches/2015Q3/emulators/qemu-sbruno/files/patch-include-qemu-aes.h branches/2015Q3/emulators/qemu-sbruno/pkg-plist
A commit references this bug: Author: junovitch Date: Fri Sep 4 17:24:39 UTC 2015 New revision: 396122 URL: https://svnweb.freebsd.org/changeset/ports/396122 Log: MFH: r395861 r396024 r394418 r395787 r396026 r395861 QEMU update to 2.4.0 - remove patch files accepted and merge upstream - Add new vgabios-virtio r396024 Build fixes for 2.4.0 - regenerate patch-pcap - Escape --extra-ldflags as it looks like the qemu builder is eating spaces or lines making it frustrating to use. PR: 202402 202536 202864 r394418 Update qemu-sbruno to track bsd-user branch on github. I *am* the upstream of this port and maintainer notified developers on 07/17/15 to update his ports while he is AFK. Sync's to pre-release 2.4.0 Differential Revision: https://reviews.freebsd.org/D3385 r395787 Build fix: - Remove etc/qemu/target-x86_64.conf.sample dropped by upstream - Add vgabios-virtio.bin r396026 Fix Makefile so that those who want to use this port directly can still build. PR: 202536 PR: 202402 Security: CVE-2015-5154 Security: CVE-2015-5165 Security: CVE-2015-5166 Security: da451130-365d-11e5-a4a5-002590263bf5 Security: f06f20dc-4347-11e5-93ad-002590263bf5 Security: ee99899d-4347-11e5-93ad-002590263bf5 Approved by: ports-secteam (feld), feld (mentor) Changes: _U branches/2015Q3/ branches/2015Q3/emulators/qemu-devel/Makefile branches/2015Q3/emulators/qemu-devel/distinfo branches/2015Q3/emulators/qemu-devel/files/patch-90_security branches/2015Q3/emulators/qemu-devel/files/patch-CVE-2015-3209 branches/2015Q3/emulators/qemu-devel/files/patch-CVE-2015-3456 branches/2015Q3/emulators/qemu-devel/files/patch-include-qemu-aes.h branches/2015Q3/emulators/qemu-devel/files/patch-tapclose branches/2015Q3/emulators/qemu-devel/files/pcap-patch branches/2015Q3/emulators/qemu-devel/pkg-plist branches/2015Q3/emulators/qemu-sbruno/Makefile branches/2015Q3/emulators/qemu-sbruno/distinfo branches/2015Q3/emulators/qemu-sbruno/files/patch-CVE-2015-3209 branches/2015Q3/emulators/qemu-sbruno/files/patch-include-qemu-aes.h branches/2015Q3/emulators/qemu-sbruno/pkg-plist
(In reply to Sean Bruno from comment #7) Sean, that last item left would be what to do with emulators/qemu now that emulators/qemu-devel|qemu-sbruno have been fixed and MFH'd. Any suggestions?
(In reply to Jason Unovitch from comment #16) If we were voting, I'd delete emulators/qemu and move emulators/qemu-devel into its place. But, there are features in the old and crusty qemu that people still use that are incompatible with upstream qemu. I'd like to defer to Juergen in this matter before taking any action.
This may be irrelevant now. New maintainer has updates emulators/qemu to the stable release. I'm about to update qemu-sbruno to the 2.5.0 branch.
(In reply to Sean Bruno from comment #18) Thanks. After the qemu-sbruno port update I'll dig through QEMU changelogs and ensure we are all caught up on VuXML entries and close the related PRs afterwards.
Take PR to finish any VuXML documentation. Unfortunately I am not finding a "security advisory" page like most projects have so I am digging through changelogs to reflect the correct fixed version. Muhammad and Sean, I appreciate you catching the ports up. If I see any outstanding issues after getting all the issues documented I'll pass on a heads up.
We are effectively caught up on any VuXML related documentation with the following three commits: https://svnweb.FreeBSD.org/changeset/ports/405035 https://svnweb.FreeBSD.org/changeset/ports/405069 https://svnweb.FreeBSD.org/changeset/ports/405110 Closing this PR now. All the issues reported since this PR are documented in bug 205813 and bug 205813.