Synopsis: Important: kvm security update Issue Date: 2012-09-05 CVE Numbers: CVE-2012-3515 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) This flaw did not affect the default use of KVM. Affected configurations were: * When guests were started from the command line ("/usr/libexec/qemu-kvm"), and without specifying a serial or parallel device that specifically does not use a virtual console (vc) back-end. (Note that Red Hat does not support invoking "qemu-kvm" from the command line on Red Hat Enterprise Linux 5.) * Guests that were managed via libvirt, such as when using Virtual Machine Manager (virt-manager), but that have a serial or parallel device that uses a virtual console back-end. By default, guests managed via libvirt will not use a virtual console back-end for such devices. All KVM users should upgrade to these updated packages, which correct this issue. SL5 x86_64 kmod-kvm-83-249.el5_8.5.x86_64.rpm kmod-kvm-debug-83-249.el5_8.5.x86_64.rpm kvm-83-249.el5_8.5.x86_64.rpm kvm-qemu-img-83-249.el5_8.5.x86_64.rpm kvm-tools-83-249.el5_8.5.x86_64.rpm - Scientific Linux Development Team