ALAS-2021-1467


Amazon Linux AMI Security Advisory: ALAS-2021-1467
Advisory Release Date: 2021-01-12 22:51 Pacific
Advisory Updated Date: 2021-01-13 18:20 Pacific
Severity: Medium
References: CVE-2019-15890 

Issue Overview:

A use-after-free issue was found in the SLiRP networking implementation of the QEMU emulator. The issue occurs in ip_reass() routine while reassembling incoming packets, if the first fragment is bigger than the m->m_dat[] buffer. A user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service. (CVE-2019-15890 )


Affected Packages:

qemu-kvm


Issue Correction:
Run yum update qemu-kvm to update your system.

New Packages:
src:
    qemu-kvm-1.5.3-156.25.amzn1.src

x86_64:
    qemu-kvm-1.5.3-156.25.amzn1.x86_64
    qemu-kvm-tools-1.5.3-156.25.amzn1.x86_64
    qemu-kvm-common-1.5.3-156.25.amzn1.x86_64
    qemu-img-1.5.3-156.25.amzn1.x86_64
    qemu-kvm-debuginfo-1.5.3-156.25.amzn1.x86_64