From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39587)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mdroth@linux.vnet.ibm.com>) id 1ZeX6y-0004Ex-7k
	for qemu-devel@nongnu.org; Tue, 22 Sep 2015 19:36:37 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mdroth@linux.vnet.ibm.com>) id 1ZeX6v-0002zX-13
	for qemu-devel@nongnu.org; Tue, 22 Sep 2015 19:36:36 -0400
Received: from e18.ny.us.ibm.com ([129.33.205.208]:60505)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mdroth@linux.vnet.ibm.com>) id 1ZeX6u-0002yo-S8
	for qemu-devel@nongnu.org; Tue, 22 Sep 2015 19:36:32 -0400
Received: from localhost
	by e18.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <mdroth@linux.vnet.ibm.com>;
	Tue, 22 Sep 2015 19:36:31 -0400
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Michael Roth <mdroth@linux.vnet.ibm.com>
Message-ID: <20150922233623.23011.2440@loki>
Date: Tue, 22 Sep 2015 18:36:23 -0500
Subject: [Qemu-devel] [ANNOUNCE] QEMU 2.4.0.1 CVE update released
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org

Hi everyone,

As part of recent planning around stable releases discussed during
KVM Forum, I'm releasing the first of what will be regular (hopefully
not *too* regular) CVE-only stable updates. These updates are
intended to reduce the gap between vulnerability disclosures and
patched/packaged releases.

You can grab the latest release here:

  http://wiki.qemu.org/download/qemu-2.4.0.1.tar.bz2

Please see the changelog for CVE numbers/details. Users are
encouraged to update as soon as possible.

v2.4.0.1 is now tagged in the official qemu.git repository,
and the stable-2.4 branch has been updated accordingly:

  http://git.qemu.org/?p=3Dqemu.git;a=3Dshortlog;h=3Drefs/heads/stable-2.4

These CVE-only releases are produced as-needed and are on no set
release schedule.

Full stable releases are still tentatively planned to continue as they
(mostly) have in the past: 1 mid-cycle stable update, and 1 stable update
at the end of each release cycle, with freeze dates announced in advance
to pull together important fixes. v2.4.1 is currently planned for
2015-10-20:

  http://wiki.qemu.org/Planning/2.4

Thank you to everyone involved!

CHANGELOG:

83c92b4: Update version for 2.4.0.1 release (Michael Roth)
5a1ccdf: net: avoid infinite loop when receiving packets(CVE-2015-5278) (P =
J P)
7aa2bca: net: add checks to validate ring buffer pointers(CVE-2015-5279) (P=
 J P)
3a56af1: e1000: Avoid infinite loop in processing transmit descriptor (CVE-=
2015-6815) (P J P)
efec4dc: vnc: fix memory corruption (CVE-2015-5225) (Gerd Hoffmann)