Security update for qemu SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20036-1 Final 1 1 2025-02-03T08:53:00Z current 2025-02-03T08:53:00Z 2025-02-03T08:53:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for qemu This update for qemu fixes the following issues: - Fix bsc#1221812: * block: Reschedule query-block during qcow2 invalidation (bsc#1221812) - Fix bsc#1229007, CVE-2024-7409: * nbd/server: CVE-2024-7409: Close stray clients at server-stop (bsc#1229007) * nbd/server: CVE-2024-7409: Drop non-negotiating clients (bsc#1229007) * nbd/server: CVE-2024-7409: Cap default max-connections to 100 (bsc#1229007) * nbd/server: Plumb in new args to nbd_client_add() (bsc#1229007, CVE-2024-7409) * nbd: Minor style and typo fixes (bsc#1229007, CVE-2024-7409) - Update to version 8.2.6: Full backport lists (from the various releases) here: https://lore.kernel.org/qemu-devel/1721203806.547734.831464.nullmailer@tls.msk.ru/ Some of the upstream backports are: hw/nvme: fix number of PIDs for FDP RUH update sphinx/qapidoc: Fix to generate doc for explicit, unboxed arguments char-stdio: Restore blocking mode of stdout on exit virtio: remove virtio_tswap16s() call in vring_packed_event_read() virtio-pci: Fix the failure process in kvm_virtio_pci_vector_use_one() block: Parse filenames only when explicitly requested iotests/270: Don't store data-file with json: prefix in image iotests/244: Don't store data-file with protocol in image qcow2: Don't open data_file with BDRV_O_NO_IO (bsc#1227322, CVE-2024-4467) target/arm: Fix FJCVTZS vs flush-to-zero target/arm: Fix VCMLA Dd, Dn, Dm[idx] i386/cpu: fixup number of addressable IDs for processor cores in the physical package tests: Update our CI to use CentOS Stream 9 instead of 8 migration: Fix file migration with fdset tcg/loongarch64: Fix tcg_out_movi vs some pcrel pointers target/sparc: use signed denominator in sdiv helper linux-user: Make TARGET_NR_setgroups affect only the current thread accel/tcg: Fix typo causing tb->page_addr[1] to not be recorded stdvga: fix screen blanking hw/audio/virtio-snd: Always use little endian audio format ui/gtk: Draw guest frame at refresh cycle virtio-net: drop too short packets early target/i386: fix size of EBP writeback in gen_enter() The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-60 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520036-1/ Link for SUSE-SU-2025:20036-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021338.html E-Mail link for SUSE-SU-2025:20036-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1221812 SUSE Bug 1221812 https://bugzilla.suse.com/1227322 SUSE Bug 1227322 https://bugzilla.suse.com/1229007 SUSE Bug 1229007 https://www.suse.com/security/cve/CVE-2024-4467/ SUSE CVE CVE-2024-4467 page https://www.suse.com/security/cve/CVE-2024-7409/ SUSE CVE CVE-2024-7409 page SUSE Linux Micro 6.0 qemu-8.2.6-1.1 qemu-accel-tcg-x86-8.2.6-1.1 qemu-arm-8.2.6-1.1 qemu-audio-spice-8.2.6-1.1 qemu-block-curl-8.2.6-1.1 qemu-block-iscsi-8.2.6-1.1 qemu-block-rbd-8.2.6-1.1 qemu-block-ssh-8.2.6-1.1 qemu-chardev-spice-8.2.6-1.1 qemu-guest-agent-8.2.6-1.1 qemu-hw-display-qxl-8.2.6-1.1 qemu-hw-display-virtio-gpu-8.2.6-1.1 qemu-hw-display-virtio-gpu-pci-8.2.6-1.1 qemu-hw-display-virtio-vga-8.2.6-1.1 qemu-hw-usb-host-8.2.6-1.1 qemu-hw-usb-redirect-8.2.6-1.1 qemu-img-8.2.6-1.1 qemu-ipxe-8.2.6-1.1 qemu-ksm-8.2.6-1.1 qemu-lang-8.2.6-1.1 qemu-pr-helper-8.2.6-1.1 qemu-s390x-8.2.6-1.1 qemu-seabios-8.2.61.16.3_3_ga95067eb-1.1 qemu-tools-8.2.6-1.1 qemu-ui-opengl-8.2.6-1.1 qemu-ui-spice-core-8.2.6-1.1 qemu-vgabios-8.2.61.16.3_3_ga95067eb-1.1 qemu-x86-8.2.6-1.1 qemu-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-accel-tcg-x86-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-arm-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-audio-spice-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-block-curl-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-block-iscsi-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-block-rbd-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-block-ssh-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-chardev-spice-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-guest-agent-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-hw-display-qxl-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-hw-display-virtio-gpu-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-hw-display-virtio-gpu-pci-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-hw-display-virtio-vga-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-hw-usb-host-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-hw-usb-redirect-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-img-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-ipxe-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-ksm-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-lang-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-pr-helper-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-s390x-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-seabios-8.2.61.16.3_3_ga95067eb-1.1 as a component of SUSE Linux Micro 6.0 qemu-tools-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-ui-opengl-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-ui-spice-core-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 qemu-vgabios-8.2.61.16.3_3_ga95067eb-1.1 as a component of SUSE Linux Micro 6.0 qemu-x86-8.2.6-1.1 as a component of SUSE Linux Micro 6.0 A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file. CVE-2024-4467 SUSE Linux Micro 6.0:qemu-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-accel-tcg-x86-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-arm-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-audio-spice-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-block-curl-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-block-iscsi-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-block-rbd-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-block-ssh-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-chardev-spice-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-guest-agent-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-hw-display-qxl-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-hw-display-virtio-gpu-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-hw-display-virtio-gpu-pci-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-hw-display-virtio-vga-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-hw-usb-host-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-hw-usb-redirect-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-img-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-ipxe-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-ksm-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-lang-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-pr-helper-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-s390x-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-seabios-8.2.61.16.3_3_ga95067eb-1.1 SUSE Linux Micro 6.0:qemu-tools-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-ui-opengl-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-ui-spice-core-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-vgabios-8.2.61.16.3_3_ga95067eb-1.1 SUSE Linux Micro 6.0:qemu-x86-8.2.6-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520036-1/ https://www.suse.com/security/cve/CVE-2024-4467.html CVE-2024-4467 https://bugzilla.suse.com/1227322 SUSE Bug 1227322 A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline. CVE-2024-7409 SUSE Linux Micro 6.0:qemu-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-accel-tcg-x86-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-arm-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-audio-spice-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-block-curl-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-block-iscsi-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-block-rbd-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-block-ssh-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-chardev-spice-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-guest-agent-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-hw-display-qxl-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-hw-display-virtio-gpu-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-hw-display-virtio-gpu-pci-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-hw-display-virtio-vga-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-hw-usb-host-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-hw-usb-redirect-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-img-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-ipxe-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-ksm-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-lang-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-pr-helper-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-s390x-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-seabios-8.2.61.16.3_3_ga95067eb-1.1 SUSE Linux Micro 6.0:qemu-tools-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-ui-opengl-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-ui-spice-core-8.2.6-1.1 SUSE Linux Micro 6.0:qemu-vgabios-8.2.61.16.3_3_ga95067eb-1.1 SUSE Linux Micro 6.0:qemu-x86-8.2.6-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520036-1/ https://www.suse.com/security/cve/CVE-2024-7409.html CVE-2024-7409 https://bugzilla.suse.com/1229007 SUSE Bug 1229007