[Qemu-devel] [ANNOUNCE] QEMU 1.5.2 Stable released

[Qemu-devel] [ANNOUNCE] QEMU 1.5.2 Stable released

[Michael Roth]

The QEMU v1.5.2 stable release is now available at:

  http://wiki.qemu.org/download/qemu-1.5.2.tar.bz2

This is release is solely to address a security issue (CVE-2013-2231) found
in the QEMU Guest Agent on Windows. More details on the nature of the CVE
can be found here:

http://seclists.org/oss-sec/2013/q3/161

There are 2 minor fixes for qemu-ga for Windows as well, though these are
included mainly due to being dependencies of the CVE fix sent upstream.

Thanks to Laszlo and the Red Hat security team for identifying/fixing the
issue.

ff4be47: Update VERSION for 1.5.2 release (Michael Roth)
be161ae: qga: escape cmdline args when registering win32 service (CVE-2013-2231) (Laszlo Ersek)
bb31546: ga_install_service(): nest error paths more idiomatically (Laszlo Ersek)
af0bbf8: qga/service-win32.c: diagnostic output should go to stderr (Laszlo Ersek)
31c6ed2: qga: save state directory in ga_install_service() (Laszlo Ersek)
c432c7d: qga: remove undefined behavior in ga_install_service() (Laszlo Ersek)

Re: [Qemu-devel] [ANNOUNCE] QEMU 1.5.2 Stable released

[Laszlo Ersek]

On 07/25/13 23:44, Michael Roth wrote:
> The QEMU v1.5.2 stable release is now available at:
> 
>   http://wiki.qemu.org/download/qemu-1.5.2.tar.bz2
> 
> This is release is solely to address a security issue (CVE-2013-2231) found
> in the QEMU Guest Agent on Windows. More details on the nature of the CVE
> can be found here:
> 
> http://seclists.org/oss-sec/2013/q3/161
> 
> There are 2 minor fixes for qemu-ga for Windows as well, though these are
> included mainly due to being dependencies of the CVE fix sent upstream.
> 
> Thanks to Laszlo and the Red Hat security team for identifying/fixing the
> issue.

For identification and analysis Lev Veyde @ RH takes the credit.

Thanks,
Laszlo

Re: [Qemu-devel] [ANNOUNCE] QEMU 1.5.2 Stable released

[Daniel P. Berrange]

On Thu, Jul 25, 2013 at 04:44:43PM -0500, Michael Roth wrote:
> The QEMU v1.5.2 stable release is now available at:
> 
>   http://wiki.qemu.org/download/qemu-1.5.2.tar.bz2
> 
> This is release is solely to address a security issue (CVE-2013-2231) found
> in the QEMU Guest Agent on Windows. More details on the nature of the CVE
> can be found here:

It is fairly common to include the CVE number in the commit message subject
line as in this case, but sometimes people only put them in the body, or even
forgot completely. Other times you might not even realize the bug fixed was a
CVE until well after the commit is pushed to master.

So for libvirt we just started a policy of creating named tags for every
CVE fix [1], so you can just do  'git show CVE-2013-2231' and identify
the patch which fixed the issue. I mention this in case QEMU maintainers
think it might be a useful policy/approach for QEMU's GIT too.

Regards,
Daniel

[1] And retroactively tagged all previous fixes.
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

Re: [Qemu-devel] [ANNOUNCE] QEMU 1.5.2 Stable released

[Miroslav Rezanina]

Hi Michael,
how this affect 1.5 schedule?? Is the date mentioned on http://wiki.qemu.org/Planning/1.5 still valid (just increase
the build number)?

Mirek Rezanina

----- Original Message -----
> From: "Michael Roth" <mdroth@linux.vnet.ibm.com>
> To: qemu-devel@nongnu.org
> Cc: pmatouse@redhat.com, aliguori@us.ibm.com, lersek@redhat.com, qemu-stable@nongnu.org, lveyde@redhat.com
> Sent: Thursday, July 25, 2013 11:44:43 PM
> Subject: [Qemu-devel] [ANNOUNCE] QEMU 1.5.2 Stable released
> 
> The QEMU v1.5.2 stable release is now available at:
> 
>   http://wiki.qemu.org/download/qemu-1.5.2.tar.bz2
> 
> This is release is solely to address a security issue (CVE-2013-2231) found
> in the QEMU Guest Agent on Windows. More details on the nature of the CVE
> can be found here:
> 
> http://seclists.org/oss-sec/2013/q3/161
> 
> There are 2 minor fixes for qemu-ga for Windows as well, though these are
> included mainly due to being dependencies of the CVE fix sent upstream.
> 
> Thanks to Laszlo and the Red Hat security team for identifying/fixing the
> issue.
> 
> ff4be47: Update VERSION for 1.5.2 release (Michael Roth)
> be161ae: qga: escape cmdline args when registering win32 service
> (CVE-2013-2231) (Laszlo Ersek)
> bb31546: ga_install_service(): nest error paths more idiomatically (Laszlo
> Ersek)
> af0bbf8: qga/service-win32.c: diagnostic output should go to stderr (Laszlo
> Ersek)
> 31c6ed2: qga: save state directory in ga_install_service() (Laszlo Ersek)
> c432c7d: qga: remove undefined behavior in ga_install_service() (Laszlo
> Ersek)
> 
> 

-- 
Miroslav Rezanina
Software Engineer - Virtualization Team

Re: [Qemu-devel] [ANNOUNCE] QEMU 1.5.2 Stable released

[Michael Roth]

On Wed, Jul 31, 2013 at 9:19 AM, Miroslav Rezanina <mrezanin@redhat.com> wrote:
> Hi Michael,
> how this affect 1.5 schedule?? Is the date mentioned on http://wiki.qemu.org/Planning/1.5 still valid (just increase
> the build number)?

Yup, 1.5.3 will be released according to original 1.5.2 schedule. I've
gone ahead and updated the release schedule on the wiki:

http://wiki.qemu.org/Planning/1.5

>
> Mirek Rezanina
>
> ----- Original Message -----
>> From: "Michael Roth" <mdroth@linux.vnet.ibm.com>
>> To: qemu-devel@nongnu.org
>> Cc: pmatouse@redhat.com, aliguori@us.ibm.com, lersek@redhat.com, qemu-stable@nongnu.org, lveyde@redhat.com
>> Sent: Thursday, July 25, 2013 11:44:43 PM
>> Subject: [Qemu-devel] [ANNOUNCE] QEMU 1.5.2 Stable released
>>
>> The QEMU v1.5.2 stable release is now available at:
>>
>>   http://wiki.qemu.org/download/qemu-1.5.2.tar.bz2
>>
>> This is release is solely to address a security issue (CVE-2013-2231) found
>> in the QEMU Guest Agent on Windows. More details on the nature of the CVE
>> can be found here:
>>
>> http://seclists.org/oss-sec/2013/q3/161
>>
>> There are 2 minor fixes for qemu-ga for Windows as well, though these are
>> included mainly due to being dependencies of the CVE fix sent upstream.
>>
>> Thanks to Laszlo and the Red Hat security team for identifying/fixing the
>> issue.
>>
>> ff4be47: Update VERSION for 1.5.2 release (Michael Roth)
>> be161ae: qga: escape cmdline args when registering win32 service
>> (CVE-2013-2231) (Laszlo Ersek)
>> bb31546: ga_install_service(): nest error paths more idiomatically (Laszlo
>> Ersek)
>> af0bbf8: qga/service-win32.c: diagnostic output should go to stderr (Laszlo
>> Ersek)
>> 31c6ed2: qga: save state directory in ga_install_service() (Laszlo Ersek)
>> c432c7d: qga: remove undefined behavior in ga_install_service() (Laszlo
>> Ersek)
>>
>>
>
> --
> Miroslav Rezanina
> Software Engineer - Virtualization Team
>