The following patches are needed (unapplied upstream) CVE-2015-8345 - https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html CVE-2015-8567/CVE-2015-8568 - https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html CVE-2015-8613 - https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03737.html CVE-2015-8619 - https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02930.html CVE-2015-8701 - https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04629.html The following patches are applied upstream in the master branch but not yet in a release: CVE-2015-8558 - http://git.qemu.org/?p=qemu.git;a=commit;h=156a2e4dbffa85997636a7a39ef12da6f1b40254
A commit references this bug: Author: junovitch Date: Sun Jan 3 02:25:00 UTC 2016 New revision: 405110 URL: https://svnweb.freebsd.org/changeset/ports/405110 Log: Document recent QEMU denial of service vulnerabilities PR: 205813 PR: 205814 Security: CVE-2015-8701 Security: CVE-2015-8666 Security: CVE-2015-8619 Security: CVE-2015-8613 Security: CVE-2015-8567 Security: CVE-2015-8568 Security: CVE-2015-8558 Security: CVE-2015-7549 Security: CVE-2015-8504 Security: CVE-2015-7504 Security: CVE-2015-7512 Security: CVE-2015-8345 Security: https://vuxml.FreeBSD.org/freebsd/1384f2fd-b1be-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/152acff3-b1bd-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/62ab8707-b1bc-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/b3f9f8ef-b1bb-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/9ad8993e-b1ba-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/60cb2055-b1b8-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/3fb06284-b1b7-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/67feba97-b1b5-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/405446f4-b1b3-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/b56fe6bb-b1b1-11e5-9728-002590263bf5.html Changes: head/security/vuxml/vuln.xml
PR: - Add sbruno@ as a courtesy CC... I'm unsure what level these ports are going to be kept in sync in the future. - Add security tag and add ports-secteam to CC - Add merge-quarterly? as there will be something to MFH Comments: emulators/qemu will have to be updated to 2.5.0 to fix several of the recent issues. After that, most of these have hit upstream at this time. One of them is in master but not in any release. It will probably be in 2.5.1. I'm unsure how you want to proceed but just we have everything documented as reported so all we'll have to do is fix the version numbers documented in VuXML when we roll out a fix.
(In reply to Jason Unovitch from comment #2) 2.5.* is not yet in STABLE release so it will go to current stable 2.4.1 and current devel 2.5.0.
quemu version is at 2.9.0. I think this is overcome by events.
I'm going to close this now as we have updates all of the related qemu ports to versions that have all the associated patches.
MARKED AS SPAM