Amazon Linux 1 Security Advisory: ALAS-2021-1467
Advisory Release Date: 2021-01-12 22:51 Pacific
Advisory Updated Date: 2021-01-13 18:20 Pacific
A use-after-free issue was found in the SLiRP networking implementation of the QEMU emulator. The issue occurs in ip_reass() routine while reassembling incoming packets, if the first fragment is bigger than the m->m_dat[] buffer. A user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service. (CVE-2019-15890)
Affected Packages:
qemu-kvm
Issue Correction:
Run yum update qemu-kvm to update your system.
src:
qemu-kvm-1.5.3-156.25.amzn1.src
x86_64:
qemu-kvm-1.5.3-156.25.amzn1.x86_64
qemu-kvm-tools-1.5.3-156.25.amzn1.x86_64
qemu-kvm-common-1.5.3-156.25.amzn1.x86_64
qemu-img-1.5.3-156.25.amzn1.x86_64
qemu-kvm-debuginfo-1.5.3-156.25.amzn1.x86_64