[El-errata] ELSA-2018-4285 Important: Oracle Linux 7 qemu security update (aarch64)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue Nov 20 17:47:56 PST 2018 

Oracle Linux Security Advisory ELSA-2018-4285

http://linux.oracle.com/errata/ELSA-2018-4285.html

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:

aarch64:
ivshmem-tools-3.0.0-1.el7.aarch64.rpm
qemu-3.0.0-1.el7.aarch64.rpm
qemu-block-gluster-3.0.0-1.el7.aarch64.rpm
qemu-block-iscsi-3.0.0-1.el7.aarch64.rpm
qemu-block-rbd-3.0.0-1.el7.aarch64.rpm
qemu-common-3.0.0-1.el7.aarch64.rpm
qemu-img-3.0.0-1.el7.aarch64.rpm
qemu-kvm-3.0.0-1.el7.aarch64.rpm
qemu-kvm-core-3.0.0-1.el7.aarch64.rpm
qemu-system-aarch64-3.0.0-1.el7.aarch64.rpm
qemu-system-aarch64-core-3.0.0-1.el7.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/qemu-3.0.0-1.el7.src.rpm



Description of changes:

[15:3.0.0-1.el7]
- net: ignore packet size greater than INT_MAX (Jason Wang)  [Orabug: 
28763782]  {CVE-2018-17963}
- pcnet: fix possible buffer overflow (Jason Wang)  [Orabug: 28763774] 
{CVE-2018-17962}
- rtl8139: fix possible out of bound access (Jason Wang)  [Orabug: 
28763765]  {CVE-2018-17958}
- ne2000: fix possible out of bound access in ne2000_receive (Jason 
Wang)  [Orabug: 28763758]  {CVE-2018-10839}
- seccomp: set the seccomp filter to all threads (Marc-André Lureau) 
[Orabug: 28763748]  {CVE-2018-15746}
- virtio_net: Introduce VIRTIO_NET_F_STANDBY feature bit to virtio_net 
(Sridhar Samudrala)  [Orabug: 28763724]
- kvm: add call to qemu_add_opts() for -overcommit option (Prasad 
Singamsetty) - Document various CVEs as fixed (Mark Kanda)  [Orabug: 
28763710]  {CVE-2017-10806} {CVE-2017-11334} {CVE-2017-12809} 
{CVE-2017-13672} {CVE-2017-13673} {CVE-2017-13711} {CVE-2017-14167} 
{CVE-2017-15038} {CVE-2017-15119} {CVE-2017-15124} {CVE-2017-15268} 
{CVE-2017-15289} {CVE-2017-16845} {CVE-2017-17381} {CVE-2017-18030} 
{CVE-2017-18043} {CVE-2017-2630} {CVE-2017-2633} {CVE-2017-5715} 
{CVE-2017-5753} {CVE-2017-5754} {CVE-2017-7471} {CVE-2017-7493} 
{CVE-2017-8112} {CVE-2017-8309} {CVE-2017-8379} {CVE-2017-8380} 
{CVE-2017-9503} {CVE-2018-11806} {CVE-2018-12617} {CVE-2018-3639} 
{CVE-2018-5683} {CVE-2018-7550} {CVE-2018-7858}
- qemu.spec: Initial qemu.spec (Mark Kanda) - virtio-pci: Set subsystem 
vendor ID to Oracle (Mark Kanda) - qemu_regdump.py: Initial 
qemu_regdump.py (Mark Kanda) - qmp-regdump: Initial qmp-regdump (Mark 
Kanda) - bridge.conf: Initial bridge.conf (Mark Kanda) - kvm.conf: 
Initial kvm.conf (Mark Kanda) - 80-kvm.rules: Initial 80-kvm.rules (Mark 
Kanda) - Update version for v3.0.0 release (Peter Maydell) - Update 
version for v3.0.0-rc4 release (Peter Maydell) - virtio-gpu: fix crashes 
upon warm reboot with vga mode (Marc-André Lureau) - slirp: Correct size 
check in m_inc() (Peter Maydell) - target/xtensa/cpu: Set owner of 
memory region in xtensa_cpu_initfn (Thomas Huth) - 
hw/intc/arm_gicv3_common: Move gicd shift bug handling to 
gicv3_post_load (Peter Maydell) - hw/intc/arm_gicv3_common: Move 
post_load hooks to top-level VMSD (Peter Maydell) - target/arm: Add 
dummy needed functions to M profile vmstate subsections (Peter Maydell) 
- hw/intc/arm_gicv3_common: Combine duplicate .subsections in 
vmstate_gicv3_cpu (Peter Maydell) - hw/intc/arm_gicv3_common: Give 
no-migration-shift-bug subsection a needed function (Peter Maydell) - 
tcg/optimize: Do not skip default processing of dup_vec (Richard 
Henderson) - tests/acpi: update tables after memory hotplug changes 
(Michael S. Tsirkin) - pc: acpi: fix memory hotplug regression by 
reducing stub SRAT entry size (Igor Mammedov) - tests/acpi-test: update 
ACPI tables test blobs (Dou Liyang) - hw/acpi-build: Add a check for 
memory-less NUMA nodes (Dou Liyang) - vhost: check region type before 
casting (Tiwei Bie) - sam460ex: Fix PCI interrupts with multiple devices 
(BALATON Zoltan) - hw/misc/macio: Fix device introspection problems in 
macio devices (Thomas Huth) - Update version for v3.0.0-rc3 release 
(Peter Maydell) - monitor: temporary fix for dead-lock on event 
recursion (Marc-André Lureau) - linux-user: ppc64: don't use volatile 
register during safe_syscall (Shivaprasad G Bhat) - tests: add 
check_invalid_maps to test-mmap (Alex Bennée) - linux-user/mmap.c: 
handle invalid len maps correctly (Alex Bennée) - s390x/sclp: fix maxram 
calculation (Christian Borntraeger) - target/arm: Remove duplicate 
'host' entry in '-cpu ?' output (Philippe Mathieu-Daudé) - 
hw/misc/tz-mpc: Zero the LUT on initialization, not just reset (Peter 
Maydell) - hw/arm/iotkit: Fix IRQ number for timer1 (Peter Maydell) - 
armv7m_nvic: Fix m-security subsection name (Peter Maydell) - 
hw/arm/sysbus-fdt: Fix assertion in copy_properties_from_host() (Geert 
Uytterhoeven) - arm/smmuv3: Fix missing VMSD terminator (Dr. David Alan 
Gilbert) - qemu-iotests: Test query-blockstats with -drive and -blockdev 
(Kevin Wolf) - block/qapi: Include anonymous BBs in query-blockstats 
(Kevin Wolf) - block/qapi: Add 'qdev' field to query-blockstats result 
(Kevin Wolf) - file-posix: Fix write_zeroes with unmap on block devices 
(Kevin Wolf) - block: Fix documentation for BDRV_REQ_MAY_UNMAP (Kevin 
Wolf) - iotests: Add test for 'qemu-img convert -C' compatibility (Fam 
Zheng) - qemu-img: Add -C option for convert with copy offloading (Fam 
Zheng) - Revert "qemu-img: Document copy offloading implications with -S 
and -c" (Fam Zheng) - iotests: Don't lock /dev/null in 226 (Fam Zheng) - 
docs: Describe using images in writing iotests (Fam Zheng) - file-posix: 
Handle EINTR in preallocation=full write (Fam Zheng) - qcow2: A grammar 
fix in conflicting cache sizing error message (Leonid Bloch) - qcow: fix 
a reference leak (KONRAD Frederic) - backends/cryptodev: remove dead 
code (Jay Zhou) - timer: remove replay clock probe in deadline 
calculation (Pavel Dovgalyuk) - i386: implement MSR_SMI_COUNT for TCG 
(Paolo Bonzini) - i386: do not migrate MSR_SMI_COUNT on machine types 
<2.12 (Paolo Bonzini) - qstring: Move qstring_from_substr()'s @end one 
to the right (Markus Armbruster) - qstring: Assert size calculations 
don't overflow (Markus Armbruster) - qstring: Fix qstring_from_substr() 
not to provoke int overflow (liujunjie) - Update version for v3.0.0-rc2 
release (Peter Maydell) - tests: fix TLS handshake failure with TLS 1.3 
(Daniel P. Berrangé) - tests: use error_abort in places expecting errors 
(Daniel P. Berrangé) - tests: don't silence error reporting for all 
tests (Daniel P. Berrangé) - tests: call qcrypto_init instead of 
gnutls_global_init (Daniel P. Berrangé) - migration: fix duplicate 
initialization for expected_downtime and cleanup_bh (Lidong Chen) - 
tests: only update last_byte when at the edge (Peter Xu) - migration: 
disallow recovery for release-ram (Peter Xu) - migration: update recv 
bitmap only on dest vm (Peter Xu) - audio/hda: Fix migration (Dr. David 
Alan Gilbert) - migrate: Fix cancelling state warning (Dr. David Alan 
Gilbert) - migration: fix potential overflow in multifd send (Peter Xu) 
- block/file-posix: add bdrv_attach_aio_context callback for host dev 
and cdrom (Nishanth Aravamudan) - tests/tcg: remove runcom test (Alex 
Bennée) - docker: perform basic binfmt_misc validation in docker.py 
(Alex Bennée) - docker: ignore distro versioning of debootstrap (Alex 
Bennée) - docker: add commentary to debian-bootstrap.docker (Alex 
Bennée) - docker: Update debootstrap script after Debian migration from 
Alioth to Salsa (Philippe Mathieu-Daudé) - docker: report hint when 
docker.py check fails (Alex Bennée) - docker: drop QEMU_TARGET check, 
fallback in EXECUTABLE not set (Alex Bennée) - docker: add expansion for 
docker-test-FOO to Makefile.include (Alex Bennée) - docker: add 
test-unit runner (Alex Bennée) - docker: Makefile.include don't include 
partial images (Alex Bennée) - docker: gracefully skip check_qemu (Alex 
Bennée) - docker: move make check into check_qemu helper (Alex Bennée) - 
docker: split configure_qemu from build_qemu (Alex Bennée) - docker: 
fail more gracefully on docker.py check (Alex Bennée) - docker: par down 
QEMU_CONFIGURE_OPTS in debian-tricore-cross (Alex Bennée) - docker: base 
debian-tricore on qemu:debian9 (Alex Bennée) - tests/.gitignore: don't 
ignore docker tests (Alex Bennée) - target/arm: Escalate to correct 
HardFault when AIRCR.BFHFNMINS is set (Peter Maydell) - 
hw/intc/arm_gicv3: Check correct HCR_EL2 bit when routing IRQ (Peter 
Maydell) - ui/cocoa.m: prevent stuck command key when going into full 
screen mode (John Arbuckle) - qga: process_event() simplification and 
leak fix (Marc-André Lureau) - qga-win: Handle fstrim for OSes lower 
than Win8 (Sameeh Jubran) - tcg/i386: Mark xmm registers call-clobbered 
(Richard Henderson) - i386: Rename enum CacheType members (Eduardo 
Habkost) - block/vvfat: Disable debug message by default (Thomas Huth) - 
iotests: Disallow compat=0.10 in 223 (Max Reitz) - iotest: Fix filtering 
order in 226 (Max Reitz) - iotests: remove LUKS support from test 226 
(John Snow) - qemu-img: avoid overflow of min_sparse parameter (Peter 
Lieven) - block: Fix typos in comments (found by codespell) (Stefan 
Weil) - qemu-iotests: Use host_device instead of file in 149 (Kevin 
Wolf) - hw/intc/exynos4210_gic: Turn instance_init into realize function 
(Thomas Huth) - hw/arm/spitz: Move problematic nand_init() code to 
realize function (Thomas Huth) - target/arm: Correctly handle 
overlapping small MPU regions (Peter Maydell) - hw/sd/bcm2835_sdhost: 
Fix PIO mode writes (Guenter Roeck) - hw/microblaze/xlnx-zynqmp-pmu: Fix 
introspection problem in 'xlnx, zynqmp-pmu-soc' (Thomas Huth) - monitor: 
Fix unsafe sharing of @cur_mon among threads (Peter Xu) - qapi: Make 
'allow-oob' optional in SchemaInfoCommand (Markus Armbruster) - po: 
Don't include comments with location (Stefan Weil) - linux-user/ppc: 
Implement swapcontext syscall (Richard Henderson) - linux-user: fix ELF 
load alignment error (Laurent Vivier) - tap: fix memory leak on success 
to create a tap device (Yunjian Wang) - e1000e: Prevent MSI/MSI-X storms 
(Jan Kiszka) - tcg/aarch64: limit mul_vec size (Alex Bennée) - spike: 
Fix crash when introspecting the device (Alistair Francis) - riscv_hart: 
Fix crash when introspecting the device (Alistair Francis) - virt: Fix 
crash when introspecting the device (Alistair Francis) - sifive_u: Fix 
crash when introspecting the device (Alistair Francis) - sifive_e: Fix 
crash when introspecting the device (Alistair Francis) - tracing: Use 
double-dash spelling for trace option (Yaowei Bai) - throttle-groups: 
fix hang when group member leaves (Stefan Hajnoczi) - s390x/cpumodel: 
fix segmentation fault when baselining models (David Hildenbrand) - 
Update version for v3.0.0-rc1 release (Peter Maydell) - Document command 
line options with single dash (BALATON Zoltan) - opts: remove redundant 
check for NULL parameter (Daniel P. Berrangé) - i386: only parse the 
initrd_filename once for multiboot modules (Daniel P. Berrangé) - i386: 
fix regression parsing multiboot initrd modules (Daniel P. Berrangé) - 
hw/arm/xlnx-zynqmp: Fix crash when introspecting the "xlnx, zynqmp" 
device (Thomas Huth) - hw/display/xlnx_dp: Move problematic code from 
instance_init to realize (Paolo Bonzini) - hw/arm/stm32f205_soc: Fix 
introspection problem with 'stm32f205-soc' device (Thomas Huth) - 
hw/arm/allwinner-a10: Fix introspection problem with 'allwinner-a10' 
(Thomas Huth) - hw/*/realview: Fix introspection problem with 
'realview_mpcore' & 'realview_gic' (Thomas Huth) - hw/cpu/arm11mpcore: 
Fix introspection problem with 'arm11mpcore_priv' (Thomas Huth) - 
hw/arm/fsl-imx31: Fix introspection problem with the "fsl, imx31" device 
(Thomas Huth) - hw/arm/fsl-imx25: Fix introspection problem with the 
"fsl, imx25" device (Thomas Huth) - hw/arm/fsl-imx7: Fix introspection 
problems with the "fsl, imx7" device (Thomas Huth) - hw/arm/fsl-imx6: 
Fix introspection problems with the "fsl, imx6" device (Thomas Huth) - 
hw/cpu/a9mpcore: Fix introspection problems with the "a9mpcore_priv" 
device (Thomas Huth) - hw/arm/msf2-soc: Fix introspection problem with 
the "msf2-soc" device (Thomas Huth) - hw/cpu/a15mpcore: Fix 
introspection problem with the a15mpcore_priv device (Thomas Huth) - 
hw/arm/armv7: Fix crash when introspecting the "iotkit" device (Thomas 
Huth) - hw/arm/bcm2836: Fix crash with device_add bcm2837 on unsupported 
machines (Thomas Huth) - hw/core/sysbus: Add a function for creating and 
attaching an object (Thomas Huth) - qom/object: Add a new function 
object_initialize_child() (Thomas Huth) - qga: fix file descriptor leak 
(Paolo Bonzini) - qga: fix 'driver' leak in guest-get-fsinfo (Marc-André 
Lureau) - accel/tcg: Assert that tlb fill gave us a valid TLB entry 
(Peter Maydell) - accel/tcg: Use correct test when looking in victim TLB 
for code (Peter Maydell) - bcm2835_aux: Swap RX and TX interrupt 
assignments (Guenter Roeck) - hw/arm/bcm2836: Mark the bcm2836 / bcm2837 
devices with user_creatable = false (Thomas Huth) - hw/intc/arm_gic: Fix 
handling of GICD_ITARGETSR (Peter Maydell) - hw/intc/arm_gic: Check 
interrupt number in gic_deactivate_irq() (Peter Maydell) - aspeed: 
Implement write-1-{set, clear} for AST2500 strapping (Andrew Jeffery) - 
target/arm: Fix LD1W and LDFF1W (scalar plus vector) (Richard Henderson) 
- virtio-scsi: fix hotplug ->reset() vs event race (Stefan Hajnoczi) - 
qdev: add HotplugHandler->post_plug() callback (Stefan Hajnoczi) - 
hw/char/serial: retry write if EAGAIN (Marc-André Lureau) - PC Chipset: 
Improve serial divisor calculation (Calvin Lee) - vhost-user-test: added 
proper TestServer *dest initialization in test_migrate() (Emanuele 
Giuseppe Esposito) - hyperv: ensure VP index equal to QEMU cpu_index 
(Roman Kagan) - hyperv: rename vcpu_id to vp_index (Roman Kagan) - 
accel: Fix typo and grammar in comment (Stefan Weil) - dump: add 
kernel_gs_base to QEMU CPU state (Viktor Prutyanov) - monitor: Fix 
tracepoint crash on JSON syntax error (Markus Armbruster) - MAINTAINERS: 
New section "Incompatible changes", copy libvir-list (Markus Armbruster) 
- qemu-doc: Move appendix "Deprecated features" to its own file (Markus 
Armbruster) - cli qmp: Mark --preconfig, exit-preconfig experimental 
(Markus Armbruster) - qapi: Do not expose "allow-preconfig" in 
query-qmp-schema (Markus Armbruster) - sm501: Fix warning about 
unreachable code (BALATON Zoltan) - sam460ex: Correct use after free 
error (BALATON Zoltan) - etsec: fix IRQ (un)masking (Michael Davidsaver) 
- ppc/xics: fix ICP reset path (Greg Kurz) - spapr: Correct inverted 
test in spapr_pc_dimm_node() (David Gibson) - sm501: Update screen on 
frame buffer address change (BALATON Zoltan) - Zero out the host's 
`msg_control` buffer (Jonas Schievink) - linux-user: fix 
mmap_find_vma_reserved() (Laurent Vivier) - linux-user: convert 
remaining fcntl() to safe_fcntl() (Laurent Vivier) - linux-user: ppc64: 
use the correct values for F_*LK64s (Shivaprasad G Bhat) - docs: Grammar 
and spelling fixes (Ville Skyttä) - qemu-img: align result of 
is_allocated_sectors (Peter Lieven) - scsi-disk: Block Device 
Characteristics emulation fix (Daniel Henrique Barboza) - iotests: add 
test 226 for file driver types (John Snow) - file-posix: specify 
expected filetypes (John Snow) - iotests: nbd: Stop qemu-nbd before 
remaking image (Fam Zheng) - iotests: 153: Fix dead code (Fam Zheng) - 
ui/cocoa.m: replace scrollingDeltaY with deltaY (John Arbuckle) - 
seccomp: allow sched_setscheduler() with SCHED_IDLE policy (Marc-André 
Lureau) - vfio/pci: do not set the PCIDevice 'has_rom' attribute (Cédric 
Le Goater) - monitor: fix double-free of request error (Marc-André 
Lureau) - error: Remove NULL checks on error_propagate() calls (Philippe 
Mathieu-Daudé) - s390x/storage attributes: fix CMMA_BLOCK_SIZE usage 
(Claudio Imbrenda)

[12:2.11.1-2.el7]
- hw/acpi-build: build SRAT memory affinity structures for DIMM devices 
(Haozhong Zhang)  [Orabug: 27509753]
- qmp: distinguish PC-DIMM and NVDIMM in MemoryDeviceInfoList (Haozhong 
Zhang)  [Orabug: 27509753]
- pc-dimm: make qmp_pc_dimm_device_list() sort devices by address 
(Haozhong Zhang)  [Orabug: 27509753]
- nvdimm: add a macro for property "label-size" (Haozhong Zhang) 
[Orabug: 27509753]
- nvdimm: add 'unarmed' option (Haozhong Zhang)  [Orabug: 27509753]
- block: Fix NULL dereference on empty drive error (Kevin Wolf) 
[Orabug: 27832106]
- Revert "IDE: Do not flush empty CDROM drives" (Stefan Hajnoczi) 
[Orabug: 27832106]
- block: test blk_aio_flush() with blk->root == NULL (Kevin Wolf) 
[Orabug: 27832106]
- block: add BlockBackend->in_flight counter (Stefan Hajnoczi)  [Orabug: 
27832106]
- block: extract AIO_WAIT_WHILE() from BlockDriverState (Stefan 
Hajnoczi)  [Orabug: 27832106]
- aio: rename aio_context_in_iothread() to in_aio_context_home_thread() 
(Stefan Hajnoczi)  [Orabug: 27832106]
- qemu.spec: Add dependency for libiscsi 1.9.0-8 (Mark Kanda)  [Orabug: 
27832300]
- multiboot.c: Document as fixed against CVE-2018-7550 (Jack Schwartz) 
[Orabug: 27832332]  {CVE-2018-7550}
- CVE-2017-18030: cirrus_invalidate_region() lets priv guest user cause 
DoS (Mark Kanda)  [Orabug: 27832319]  {CVE-2017-18030}
- vga: fix region calculation (Gerd Hoffmann)  [Orabug: 27832309] 
{CVE-2018-7858}
- keymap: use glib hash for kbd_layout_t (Gerd Hoffmann)  [Orabug: 27663795]
- qemu.spec: Enable coroutine pool and vhost-vsock (Karl Heubaum) 
[Orabug: 27832337]

[12:2.11.1-1.el7]
- BUILDINFO: commit=9fc0f70c83d6de5667c45cd1e420a080e75c7d04
- Update qemu.spec version for 2.11.1

More information about the El-errata mailing list