new file mode 100644
@@ -0,0 +1,248 @@
+<security-notice xmlns="http://qemu.org/xmlns/security-notice/1.0">
+ <id>2018-001</id>
+
+ <summary>Speculative store bypass</summary>
+
+ <description>
+<![CDATA[An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization).
+
+It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire).
+]]>
+ </description>
+
+ <impact>
+<![CDATA[As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.]]>
+ </impact>
+
+ <mitigation>
+<![CDATA[None]]>
+ </mitigation>
+
+ <credits>
+ <reporter>
+ <name>Ken Johnson (Microsoft Security Response Center)</name>
+ </reporter>
+ <reporter>
+ <name>Jann Horn (Google Project Zero)</name>
+ </reporter>
+ <patcher>
+ <name>Daniel P. Berrangé</name>
+ <email>berrange@redhat.com</email>
+ </patcher>
+ <patcher>
+ <name>Konrad Rzeszutek Wilk</name>
+ <email>konrad.wilk@oracle.com</email>
+ </patcher>
+ </credits>
+
+ <lifecycle>
+ <reported>20180312</reported>
+ <published>20180521</published>
+ <fixed>20180626</fixed>
+ </lifecycle>
+
+ <reference>
+ <advisory type="CVE" id="2018-3639"/>
+ </reference>
+
+ <repository>
+ <branch>
+ <name>master</name>
+ <change state="fixed">d19d1f965904a533998739698020ff4ee8a103da</change>
+ <change state="fixed">403503b162ffc33fb64cfefdf7b880acf41772cd</change>
+ <change state="merged">4f50c1673a89b07f376ce5c42d22d79a79cd466d</change>
+ <change state="fixed">a764f3f7197f4d7ad8fe8424269933de912224cb</change>
+ <change state="merged">e409d9a158c77c650651e8118f6c86c8dc76eba6</change>
+ <tag state="fixed"></tag>
+ <tag state="vulnerable">v0.10.1</tag>
+ <tag state="vulnerable">v0.10.2</tag>
+ <tag state="vulnerable">v1.0</tag>
+ <tag state="vulnerable">v1.1.0</tag>
+ <tag state="vulnerable">v1.2.0</tag>
+ <tag state="vulnerable">v1.3.0</tag>
+ <tag state="vulnerable">v1.4.0</tag>
+ <tag state="vulnerable">v1.5.0</tag>
+ <tag state="vulnerable">v1.6.0</tag>
+ <tag state="vulnerable">v1.7.0</tag>
+ <tag state="vulnerable">v2.0.0</tag>
+ <tag state="vulnerable">v2.1.0</tag>
+ <tag state="vulnerable">v2.2.0</tag>
+ <tag state="vulnerable">v2.3.0</tag>
+ <tag state="vulnerable">v2.4.0</tag>
+ <tag state="vulnerable">v2.5.0</tag>
+ <tag state="vulnerable">v2.6.0</tag>
+ <tag state="vulnerable">v2.7.0</tag>
+ <tag state="vulnerable">v2.8.0</tag>
+ <tag state="vulnerable">v2.9.0</tag>
+ <tag state="vulnerable">v2.10.0</tag>
+ <tag state="vulnerable">v2.11.0</tag>
+ <tag state="vulnerable">v2.12.0</tag>
+ <tag state="vulnerable">v3.0.0</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-0.10</name>
+ <tag state="vulnerable">v0.10.0</tag>
+ <tag state="vulnerable">v0.10.3</tag>
+ <tag state="vulnerable">v0.10.4</tag>
+ <tag state="vulnerable">v0.10.5</tag>
+ <tag state="vulnerable">v0.10.6</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-0.11</name>
+ <tag state="vulnerable">v0.11.0</tag>
+ <tag state="vulnerable">v0.11.1</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-0.12</name>
+ <tag state="vulnerable">v0.12.0</tag>
+ <tag state="vulnerable">v0.12.1</tag>
+ <tag state="vulnerable">v0.12.2</tag>
+ <tag state="vulnerable">v0.12.3</tag>
+ <tag state="vulnerable">v0.12.4</tag>
+ <tag state="vulnerable">v0.12.5</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-0.13</name>
+ <tag state="vulnerable">v0.13.0</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-0.14</name>
+ <tag state="vulnerable">v0.14.0</tag>
+ <tag state="vulnerable">v0.14.1</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-0.15</name>
+ <tag state="vulnerable">v0.15.0</tag>
+ <tag state="vulnerable">v0.15.1</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-1.0</name>
+ <tag state="vulnerable">v1.0.1</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-1.1</name>
+ <tag state="vulnerable">v1.1.1</tag>
+ <tag state="vulnerable">v1.1.2</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-1.2</name>
+ <tag state="vulnerable">v1.2.1</tag>
+ <tag state="vulnerable">v1.2.2</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-1.3</name>
+ <tag state="vulnerable">v1.3.1</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-1.4</name>
+ <tag state="vulnerable">v1.4.1</tag>
+ <tag state="vulnerable">v1.4.2</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-1.5</name>
+ <tag state="vulnerable">v1.5.1</tag>
+ <tag state="vulnerable">v1.5.2</tag>
+ <tag state="vulnerable">v1.5.3</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-1.6</name>
+ <tag state="vulnerable">v1.6.1</tag>
+ <tag state="vulnerable">v1.6.2</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-1.7</name>
+ <tag state="vulnerable">v1.7.1</tag>
+ <tag state="vulnerable">v1.7.2</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-2.0</name>
+ <tag state="vulnerable">v2.0.1</tag>
+ <tag state="vulnerable">v2.0.2</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-2.1</name>
+ <tag state="vulnerable">v2.1.1</tag>
+ <tag state="vulnerable">v2.1.2</tag>
+ <tag state="vulnerable">v2.1.3</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-2.2</name>
+ <tag state="vulnerable">v2.2.1</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-2.3</name>
+ <tag state="vulnerable">v2.3.1</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-2.4</name>
+ <tag state="vulnerable">v2.4.0.1</tag>
+ <tag state="vulnerable">v2.4.1</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-2.5</name>
+ <tag state="vulnerable">v2.5.1</tag>
+ <tag state="vulnerable">v2.5.1.1</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-2.6</name>
+ <tag state="vulnerable">v2.6.1</tag>
+ <tag state="vulnerable">v2.6.2</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-2.7</name>
+ <tag state="vulnerable">v2.7.1</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-2.8</name>
+ <tag state="vulnerable">v2.8.1</tag>
+ <tag state="vulnerable">v2.8.1.1</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-2.9</name>
+ <tag state="vulnerable">v2.9.1</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-2.10</name>
+ <tag state="vulnerable">v2.10.1</tag>
+ <tag state="vulnerable">v2.10.2</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-2.11</name>
+ <tag state="vulnerable">v2.11.1</tag>
+ <tag state="vulnerable">v2.11.2</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ <branch>
+ <name>stable-2.12</name>
+ <tag state="vulnerable">v2.12.1</tag>
+ <change state="vulnerable">7ba1e61953f4592606e60b2e7507ff6a6faf861a</change>
+ </branch>
+ </repository>
+
+</security-notice>
new file mode 100644
@@ -0,0 +1,242 @@
+<security-notice xmlns="http://qemu.org/xmlns/security-notice/1.0">
+ <id>2018-002</id>
+
+ <summary>VGA out of bounds in vga_draw_text</summary>
+
+ <description>
+<![CDATA[Quick Emulator(QEMU) built with the VGA emulator support is vulnerable to an out-of-bounds access issue in vga_draw_text. It could occur while updating vga display area.]]>
+ </description>
+
+ <impact>
+<![CDATA[A privileged user inside guest could use this flaw to crash the Qemu process
+resulting in DoS.]]>
+ </impact>
+
+ <mitigation>
+<![CDATA[Disable graphics adapters if the virtual machines can be operated
+via the serial console]]>
+ </mitigation>
+
+ <credits>
+ <reporter>
+ <name>Jiang Xin</name>
+ <email>jiangxin1@huawei.com</email>
+ </reporter>
+ <patcher>
+ <name>Lin ZheCheng</name>
+ <email>linzhecheng@huawei.com</email>
+ </patcher>
+ </credits>
+
+ <lifecycle>
+ <reported>20171228</reported>
+ <published>20171225</published>
+ <fixed>20180125</fixed>
+ </lifecycle>
+
+ <reference>
+ <advisory type="CVE" id="2018-5683"/>
+ </reference>
+
+ <repository>
+ <branch>
+ <name>master</name>
+ <tag state="fixed">v2.12.0</tag>
+ <change state="fixed">191f59dc17396bb5a8da50f8c59b6e0a430711a4</change>
+ <change state="merged">b3bbe959b5dc3bf07041946455cc8e8d562bfd1f</change>
+ <tag state="vulnerable">v0.4.4</tag>
+ <tag state="vulnerable">v0.5.0</tag>
+ <tag state="vulnerable">v0.5.1</tag>
+ <tag state="vulnerable">v0.6.0</tag>
+ <tag state="vulnerable">v0.6.1</tag>
+ <tag state="vulnerable">v0.7.0</tag>
+ <tag state="vulnerable">v0.7.1</tag>
+ <tag state="vulnerable">v0.8.1</tag>
+ <tag state="vulnerable">v0.8.2</tag>
+ <tag state="vulnerable">v0.9.0</tag>
+ <tag state="vulnerable">v0.9.1</tag>
+ <tag state="vulnerable">v1.0</tag>
+ <tag state="vulnerable">v1.1.0</tag>
+ <tag state="vulnerable">v1.2.0</tag>
+ <tag state="vulnerable">v1.3.0</tag>
+ <tag state="vulnerable">v1.4.0</tag>
+ <tag state="vulnerable">v1.5.0</tag>
+ <tag state="vulnerable">v1.6.0</tag>
+ <tag state="vulnerable">v1.7.0</tag>
+ <tag state="vulnerable">v2.0.0</tag>
+ <tag state="vulnerable">v2.1.0</tag>
+ <tag state="vulnerable">v2.2.0</tag>
+ <tag state="vulnerable">v2.3.0</tag>
+ <tag state="vulnerable">v2.4.0</tag>
+ <tag state="vulnerable">v2.5.0</tag>
+ <tag state="vulnerable">v2.6.0</tag>
+ <tag state="vulnerable">v2.7.0</tag>
+ <tag state="vulnerable">v2.8.0</tag>
+ <tag state="vulnerable">v2.9.0</tag>
+ <tag state="vulnerable">v2.10.0</tag>
+ <tag state="vulnerable">v2.11.0</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-0.10</name>
+ <tag state="vulnerable">v0.10.0</tag>
+ <tag state="vulnerable">v0.10.1</tag>
+ <tag state="vulnerable">v0.10.2</tag>
+ <tag state="vulnerable">v0.10.3</tag>
+ <tag state="vulnerable">v0.10.4</tag>
+ <tag state="vulnerable">v0.10.5</tag>
+ <tag state="vulnerable">v0.10.6</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-0.11</name>
+ <tag state="vulnerable">v0.11.0</tag>
+ <tag state="vulnerable">v0.11.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-0.12</name>
+ <tag state="vulnerable">v0.12.0</tag>
+ <tag state="vulnerable">v0.12.1</tag>
+ <tag state="vulnerable">v0.12.2</tag>
+ <tag state="vulnerable">v0.12.3</tag>
+ <tag state="vulnerable">v0.12.4</tag>
+ <tag state="vulnerable">v0.12.5</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-0.13</name>
+ <tag state="vulnerable">v0.13.0</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-0.14</name>
+ <tag state="vulnerable">v0.14.0</tag>
+ <tag state="vulnerable">v0.14.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-0.15</name>
+ <tag state="vulnerable">v0.15.0</tag>
+ <tag state="vulnerable">v0.15.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-1.0</name>
+ <tag state="vulnerable">v1.0.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-1.1</name>
+ <tag state="vulnerable">v1.1.1</tag>
+ <tag state="vulnerable">v1.1.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-1.2</name>
+ <tag state="vulnerable">v1.2.1</tag>
+ <tag state="vulnerable">v1.2.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-1.3</name>
+ <tag state="vulnerable">v1.3.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-1.4</name>
+ <tag state="vulnerable">v1.4.1</tag>
+ <tag state="vulnerable">v1.4.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-1.5</name>
+ <tag state="vulnerable">v1.5.1</tag>
+ <tag state="vulnerable">v1.5.2</tag>
+ <tag state="vulnerable">v1.5.3</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-1.6</name>
+ <tag state="vulnerable">v1.6.1</tag>
+ <tag state="vulnerable">v1.6.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-1.7</name>
+ <tag state="vulnerable">v1.7.1</tag>
+ <tag state="vulnerable">v1.7.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.0</name>
+ <tag state="vulnerable">v2.0.1</tag>
+ <tag state="vulnerable">v2.0.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.1</name>
+ <tag state="vulnerable">v2.1.1</tag>
+ <tag state="vulnerable">v2.1.2</tag>
+ <tag state="vulnerable">v2.1.3</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.2</name>
+ <tag state="vulnerable">v2.2.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.3</name>
+ <tag state="vulnerable">v2.3.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.4</name>
+ <tag state="vulnerable">v2.4.0.1</tag>
+ <tag state="vulnerable">v2.4.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.5</name>
+ <tag state="vulnerable">v2.5.1</tag>
+ <tag state="vulnerable">v2.5.1.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.6</name>
+ <tag state="vulnerable">v2.6.1</tag>
+ <tag state="vulnerable">v2.6.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.7</name>
+ <tag state="vulnerable">v2.7.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.8</name>
+ <tag state="vulnerable">v2.8.1</tag>
+ <tag state="vulnerable">v2.8.1.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.9</name>
+ <tag state="vulnerable">v2.9.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.10</name>
+ <tag state="vulnerable">v2.10.1</tag>
+ <tag state="vulnerable">v2.10.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.11</name>
+ <tag state="vulnerable">v2.11.1</tag>
+ <tag state="vulnerable">v2.11.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ </repository>
+
+</security-notice>
new file mode 100644
@@ -0,0 +1,191 @@
+<security-notice xmlns="http://qemu.org/xmlns/security-notice/1.0">
+ <id>2018-003</id>
+
+ <summary>Multiboot out of bounds loading kernel</summary>
+
+ <description>
+<![CDATA[Quick Emulator(QEMU) built with the PC System Emulator with multiboot feature
+support is vulnerable to an OOB memory access issue. It could occur while
+loading a kernel image during a guest boot if multiboot head addresses
+mh_load_end_addr was greater than mh_bss_end_addr.]]>
+ </description>
+
+ <impact>
+<![CDATA[A user/process could use this flaw to potentially achieve arbitrary code
+execution on a host.]]>
+ </impact>
+
+ <mitigation>
+<![CDATA[Do not use the -kernel argument to QEMU for providing the boot kernel.
+Allow the guest firmware and bootloader (eg grub) to load the boot kernel from
+inside the confined guest execution environment]]>
+ </mitigation>
+
+ <credits>
+ <reporter>
+ <name></name>
+ <email></email>
+ </reporter>
+ <patcher>
+ <name></name>
+ <email></email>
+ </patcher>
+ </credits>
+
+ <lifecycle>
+ <reported>20180221</reported>
+ <published>20180227</published>
+ <fixed>20180328</fixed>
+ </lifecycle>
+
+ <reference>
+ <advisory type="CVE" id="2018-7550"/>
+ </reference>
+
+ <repository>
+ <branch>
+ <name>master</name>
+ <tag state="fixed">v2.12.0</tag>
+ <change state="fixed">2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8</change>
+ <change state="merged">854a4436dd313eaeb51c275d00526d60437915d2</change>
+ <tag state="vulnerable">v1.0</tag>
+ <tag state="vulnerable">v1.1.0</tag>
+ <tag state="vulnerable">v1.2.0</tag>
+ <tag state="vulnerable">v1.3.0</tag>
+ <tag state="vulnerable">v1.4.0</tag>
+ <tag state="vulnerable">v1.5.0</tag>
+ <tag state="vulnerable">v1.6.0</tag>
+ <tag state="vulnerable">v1.7.0</tag>
+ <tag state="vulnerable">v2.0.0</tag>
+ <tag state="vulnerable">v2.1.0</tag>
+ <tag state="vulnerable">v2.2.0</tag>
+ <tag state="vulnerable">v2.3.0</tag>
+ <tag state="vulnerable">v2.4.0</tag>
+ <tag state="vulnerable">v2.5.0</tag>
+ <tag state="vulnerable">v2.6.0</tag>
+ <tag state="vulnerable">v2.7.0</tag>
+ <tag state="vulnerable">v2.8.0</tag>
+ <tag state="vulnerable">v2.9.0</tag>
+ <tag state="vulnerable">v2.10.0</tag>
+ <tag state="vulnerable">v2.11.0</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-1.0</name>
+ <tag state="vulnerable">v1.0.1</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-1.1</name>
+ <tag state="vulnerable">v1.1.1</tag>
+ <tag state="vulnerable">v1.1.2</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-1.2</name>
+ <tag state="vulnerable">v1.2.1</tag>
+ <tag state="vulnerable">v1.2.2</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-1.3</name>
+ <tag state="vulnerable">v1.3.1</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-1.4</name>
+ <tag state="vulnerable">v1.4.1</tag>
+ <tag state="vulnerable">v1.4.2</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-1.5</name>
+ <tag state="vulnerable">v1.5.1</tag>
+ <tag state="vulnerable">v1.5.2</tag>
+ <tag state="vulnerable">v1.5.3</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-1.6</name>
+ <tag state="vulnerable">v1.6.1</tag>
+ <tag state="vulnerable">v1.6.2</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-1.7</name>
+ <tag state="vulnerable">v1.7.1</tag>
+ <tag state="vulnerable">v1.7.2</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-2.0</name>
+ <tag state="vulnerable">v2.0.1</tag>
+ <tag state="vulnerable">v2.0.2</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-2.1</name>
+ <tag state="vulnerable">v2.1.1</tag>
+ <tag state="vulnerable">v2.1.2</tag>
+ <tag state="vulnerable">v2.1.3</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-2.2</name>
+ <tag state="vulnerable">v2.2.1</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-2.3</name>
+ <tag state="vulnerable">v2.3.1</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-2.4</name>
+ <tag state="vulnerable">v2.4.0.1</tag>
+ <tag state="vulnerable">v2.4.1</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-2.5</name>
+ <tag state="vulnerable">v2.5.1</tag>
+ <tag state="vulnerable">v2.5.1.1</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-2.6</name>
+ <tag state="vulnerable">v2.6.1</tag>
+ <tag state="vulnerable">v2.6.2</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-2.7</name>
+ <tag state="vulnerable">v2.7.1</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-2.8</name>
+ <tag state="vulnerable">v2.8.1</tag>
+ <tag state="vulnerable">v2.8.1.1</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-2.9</name>
+ <tag state="vulnerable">v2.9.1</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-2.10</name>
+ <tag state="vulnerable">v2.10.1</tag>
+ <tag state="vulnerable">v2.10.2</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ <branch>
+ <name>stable-2.11</name>
+ <tag state="vulnerable">v2.11.1</tag>
+ <tag state="vulnerable">v2.11.2</tag>
+ <change state="vulnerable">6b8273a1b97876950d91c228a420a851e10e12bb</change>
+ </branch>
+ </repository>
+
+</security-notice>
new file mode 100644
@@ -0,0 +1,243 @@
+<security-notice xmlns="http://qemu.org/xmlns/security-notice/1.0">
+ <id>2018-004</id>
+
+ <summary>Cirrus out of bounds access updating VGA display</summary>
+
+ <description>
+<![CDATA[Quick emulator(QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is
+vulnerable to an out-of-bounds access issue. It could occur while updating
+VGA display, after guest has adjusted the display dimensions.]]>
+ </description>
+
+ <impact>
+<![CDATA[A privileged user inside guest could use this flaw to crash the Qemu process
+resulting in DoS.]]>
+ </impact>
+
+ <mitigation>
+<![CDATA[Replace use of the cirrus video adapter with an alternative model]]>
+ </mitigation>
+
+ <credits>
+ <reporter>
+ <name>Ross Lagerwall</name>
+ <email>ross.lagerwall@citrix.com</email>
+ </reporter>
+ <patcher>
+ <name>Gerd Hoffmann</name>
+ <email>kraxel@redhat.com</email>
+ </patcher>
+ </credits>
+
+ <lifecycle>
+ <reported>20180228</reported>
+ <published>20180308</published>
+ <fixed>20180312</fixed>
+ </lifecycle>
+
+ <reference>
+ <advisory type="CVE" id="2018-7858"/>
+ </reference>
+
+ <repository>
+ <branch>
+ <name>master</name>
+ <tag state="fixed">v2.12.0</tag>
+ <change state="fixed">7cdc61becd095b64a786b2625f321624e7111f3d</change>
+ <change state="merged">fb5fff15881ba7a002924b967eb211c002897983</change>
+ <tag state="vulnerable">v0.4.4</tag>
+ <tag state="vulnerable">v0.5.0</tag>
+ <tag state="vulnerable">v0.5.1</tag>
+ <tag state="vulnerable">v0.6.0</tag>
+ <tag state="vulnerable">v0.6.1</tag>
+ <tag state="vulnerable">v0.7.0</tag>
+ <tag state="vulnerable">v0.7.1</tag>
+ <tag state="vulnerable">v0.8.1</tag>
+ <tag state="vulnerable">v0.8.2</tag>
+ <tag state="vulnerable">v0.9.0</tag>
+ <tag state="vulnerable">v0.9.1</tag>
+ <tag state="vulnerable">v1.0</tag>
+ <tag state="vulnerable">v1.1.0</tag>
+ <tag state="vulnerable">v1.2.0</tag>
+ <tag state="vulnerable">v1.3.0</tag>
+ <tag state="vulnerable">v1.4.0</tag>
+ <tag state="vulnerable">v1.5.0</tag>
+ <tag state="vulnerable">v1.6.0</tag>
+ <tag state="vulnerable">v1.7.0</tag>
+ <tag state="vulnerable">v2.0.0</tag>
+ <tag state="vulnerable">v2.1.0</tag>
+ <tag state="vulnerable">v2.2.0</tag>
+ <tag state="vulnerable">v2.3.0</tag>
+ <tag state="vulnerable">v2.4.0</tag>
+ <tag state="vulnerable">v2.5.0</tag>
+ <tag state="vulnerable">v2.6.0</tag>
+ <tag state="vulnerable">v2.7.0</tag>
+ <tag state="vulnerable">v2.8.0</tag>
+ <tag state="vulnerable">v2.9.0</tag>
+ <tag state="vulnerable">v2.10.0</tag>
+ <tag state="vulnerable">v2.11.0</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-0.10</name>
+ <tag state="vulnerable">v0.10.0</tag>
+ <tag state="vulnerable">v0.10.1</tag>
+ <tag state="vulnerable">v0.10.2</tag>
+ <tag state="vulnerable">v0.10.3</tag>
+ <tag state="vulnerable">v0.10.4</tag>
+ <tag state="vulnerable">v0.10.5</tag>
+ <tag state="vulnerable">v0.10.6</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-0.11</name>
+ <tag state="vulnerable">v0.11.0</tag>
+ <tag state="vulnerable">v0.11.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-0.12</name>
+ <tag state="vulnerable">v0.12.0</tag>
+ <tag state="vulnerable">v0.12.1</tag>
+ <tag state="vulnerable">v0.12.2</tag>
+ <tag state="vulnerable">v0.12.3</tag>
+ <tag state="vulnerable">v0.12.4</tag>
+ <tag state="vulnerable">v0.12.5</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-0.13</name>
+ <tag state="vulnerable">v0.13.0</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-0.14</name>
+ <tag state="vulnerable">v0.14.0</tag>
+ <tag state="vulnerable">v0.14.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-0.15</name>
+ <tag state="vulnerable">v0.15.0</tag>
+ <tag state="vulnerable">v0.15.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-1.0</name>
+ <tag state="vulnerable">v1.0.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-1.1</name>
+ <tag state="vulnerable">v1.1.1</tag>
+ <tag state="vulnerable">v1.1.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-1.2</name>
+ <tag state="vulnerable">v1.2.1</tag>
+ <tag state="vulnerable">v1.2.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-1.3</name>
+ <tag state="vulnerable">v1.3.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-1.4</name>
+ <tag state="vulnerable">v1.4.1</tag>
+ <tag state="vulnerable">v1.4.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-1.5</name>
+ <tag state="vulnerable">v1.5.1</tag>
+ <tag state="vulnerable">v1.5.2</tag>
+ <tag state="vulnerable">v1.5.3</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-1.6</name>
+ <tag state="vulnerable">v1.6.1</tag>
+ <tag state="vulnerable">v1.6.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-1.7</name>
+ <tag state="vulnerable">v1.7.1</tag>
+ <tag state="vulnerable">v1.7.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.0</name>
+ <tag state="vulnerable">v2.0.1</tag>
+ <tag state="vulnerable">v2.0.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.1</name>
+ <tag state="vulnerable">v2.1.1</tag>
+ <tag state="vulnerable">v2.1.2</tag>
+ <tag state="vulnerable">v2.1.3</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.2</name>
+ <tag state="vulnerable">v2.2.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.3</name>
+ <tag state="vulnerable">v2.3.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.4</name>
+ <tag state="vulnerable">v2.4.0.1</tag>
+ <tag state="vulnerable">v2.4.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.5</name>
+ <tag state="vulnerable">v2.5.1</tag>
+ <tag state="vulnerable">v2.5.1.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.6</name>
+ <tag state="vulnerable">v2.6.1</tag>
+ <tag state="vulnerable">v2.6.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.7</name>
+ <tag state="vulnerable">v2.7.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.8</name>
+ <tag state="vulnerable">v2.8.1</tag>
+ <tag state="vulnerable">v2.8.1.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.9</name>
+ <tag state="vulnerable">v2.9.1</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.10</name>
+ <tag state="vulnerable">v2.10.1</tag>
+ <tag state="vulnerable">v2.10.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ <branch>
+ <name>stable-2.11</name>
+ <tag state="vulnerable">v2.11.1</tag>
+ <tag state="vulnerable">v2.11.2</tag>
+ <change state="vulnerable">e89f66eca974d2a9d5d89271c6041daefdab2105</change>
+ </branch>
+ </repository>
+
+</security-notice>
new file mode 100644
@@ -0,0 +1,225 @@
+<security-notice xmlns="http://qemu.org/xmlns/security-notice/1.0">
+ <id>2018-005</id>
+
+ <summary>ne2000 integer overflow in buffer access</summary>
+
+ <description>
+<![CDATA[Qemu emulator built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network.]]>
+ </description>
+
+ <impact>
+<![CDATA[A user inside guest could use this flaw to crash the Qemu process resulting in DoS.]]>
+ </impact>
+
+ <mitigation>
+<![CDATA[Replace use of the NE2000 network adapter with an alternative model]]>
+ </mitigation>
+
+ <credits>
+ <reporter>
+ <name>Daniel Shapira</name>
+ <email>daniel@twistlock.com</email>
+ </reporter>
+ <patcher>
+ <name>Jason Wang</name>
+ <email>jasonwang@redhat.com</email>
+ </patcher>
+ </credits>
+
+ <lifecycle>
+ <reported>20180522</reported>
+ <published>20180926</published>
+ <fixed></fixed>
+ </lifecycle>
+
+ <reference>
+ <advisory type="CVE" id="2018-10839"/>
+ </reference>
+
+ <repository>
+ <branch>
+ <name>master</name>
+ <tag state="fixed"></tag>
+ <change state="fixed">0caf499e2f26ae305a16ae2c4e7a2f295ddf64d1</change>
+ <change state="merged"></change>
+ <tag state="vulnerable">v1.0</tag>
+ <tag state="vulnerable">v1.1.0</tag>
+ <tag state="vulnerable">v1.2.0</tag>
+ <tag state="vulnerable">v1.3.0</tag>
+ <tag state="vulnerable">v1.4.0</tag>
+ <tag state="vulnerable">v1.5.0</tag>
+ <tag state="vulnerable">v1.6.0</tag>
+ <tag state="vulnerable">v1.7.0</tag>
+ <tag state="vulnerable">v2.0.0</tag>
+ <tag state="vulnerable">v2.1.0</tag>
+ <tag state="vulnerable">v2.2.0</tag>
+ <tag state="vulnerable">v2.3.0</tag>
+ <tag state="vulnerable">v2.4.0</tag>
+ <tag state="vulnerable">v2.5.0</tag>
+ <tag state="vulnerable">v2.6.0</tag>
+ <tag state="vulnerable">v2.7.0</tag>
+ <tag state="vulnerable">v2.8.0</tag>
+ <tag state="vulnerable">v2.9.0</tag>
+ <tag state="vulnerable">v2.10.0</tag>
+ <tag state="vulnerable">v2.11.0</tag>
+ <tag state="vulnerable">v2.12.0</tag>
+ <tag state="vulnerable">v3.0.0</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-0.11</name>
+ <tag state="vulnerable">v0.11.0</tag>
+ <tag state="vulnerable">v0.11.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-0.12</name>
+ <tag state="vulnerable">v0.12.0</tag>
+ <tag state="vulnerable">v0.12.1</tag>
+ <tag state="vulnerable">v0.12.2</tag>
+ <tag state="vulnerable">v0.12.3</tag>
+ <tag state="vulnerable">v0.12.4</tag>
+ <tag state="vulnerable">v0.12.5</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-0.13</name>
+ <tag state="vulnerable">v0.13.0</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-0.14</name>
+ <tag state="vulnerable">v0.14.0</tag>
+ <tag state="vulnerable">v0.14.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-0.15</name>
+ <tag state="vulnerable">v0.15.0</tag>
+ <tag state="vulnerable">v0.15.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.0</name>
+ <tag state="vulnerable">v1.0.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.1</name>
+ <tag state="vulnerable">v1.1.1</tag>
+ <tag state="vulnerable">v1.1.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.2</name>
+ <tag state="vulnerable">v1.2.1</tag>
+ <tag state="vulnerable">v1.2.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.3</name>
+ <tag state="vulnerable">v1.3.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.4</name>
+ <tag state="vulnerable">v1.4.1</tag>
+ <tag state="vulnerable">v1.4.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.5</name>
+ <tag state="vulnerable">v1.5.1</tag>
+ <tag state="vulnerable">v1.5.2</tag>
+ <tag state="vulnerable">v1.5.3</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.6</name>
+ <tag state="vulnerable">v1.6.1</tag>
+ <tag state="vulnerable">v1.6.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.7</name>
+ <tag state="vulnerable">v1.7.1</tag>
+ <tag state="vulnerable">v1.7.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.0</name>
+ <tag state="vulnerable">v2.0.1</tag>
+ <tag state="vulnerable">v2.0.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.1</name>
+ <tag state="vulnerable">v2.1.1</tag>
+ <tag state="vulnerable">v2.1.2</tag>
+ <tag state="vulnerable">v2.1.3</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.2</name>
+ <tag state="vulnerable">v2.2.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.3</name>
+ <tag state="vulnerable">v2.3.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.4</name>
+ <tag state="vulnerable">v2.4.0.1</tag>
+ <tag state="vulnerable">v2.4.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.5</name>
+ <tag state="vulnerable">v2.5.1</tag>
+ <tag state="vulnerable">v2.5.1.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.6</name>
+ <tag state="vulnerable">v2.6.1</tag>
+ <tag state="vulnerable">v2.6.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.7</name>
+ <tag state="vulnerable">v2.7.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.8</name>
+ <tag state="vulnerable">v2.8.1</tag>
+ <tag state="vulnerable">v2.8.1.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.9</name>
+ <tag state="vulnerable">v2.9.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.10</name>
+ <tag state="vulnerable">v2.10.1</tag>
+ <tag state="vulnerable">v2.10.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.11</name>
+ <tag state="vulnerable">v2.11.1</tag>
+ <tag state="vulnerable">v2.11.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.12</name>
+ <tag state="vulnerable">v2.12.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ </repository>
+
+</security-notice>
new file mode 100644
@@ -0,0 +1,247 @@
+<security-notice xmlns="http://qemu.org/xmlns/security-notice/1.0">
+ <id>2018-006</id>
+
+ <summary>slirp buffer overflow assembling fragmented datastream</summary>
+
+ <description>
+<![CDATA[A heap buffer overflow issue was found in the way Slirp networking back-end
+in QEMU processes fragmented packets. It could occur while reassembling the
+fragmented datagrams of an incoming packet.]]>
+ </description>
+
+ <impact>
+<![CDATA[A privileged user/process inside guest could use this flaw to crash the QEMU
+process resulting in DoS OR potentially leverage it to execute arbitrary code
+on the host with privileges of the QEMU process.]]>
+ </impact>
+
+ <mitigation>
+<![CDATA[Replace use of the "user" network backend with an alternative choice]]>
+ </mitigation>
+
+ <credits>
+ <reporter>
+ <name>ZDI Disclosures</name>
+ <email>zdi-disclosures@trendmicro.com</email>
+ </reporter>
+ <patcher>
+ <name>Prasad J Pandit</name>
+ <email>pjp@fedoraproject.org</email>
+ </patcher>
+ </credits>
+
+ <lifecycle>
+ <reported>20180427</reported>
+ <published>20180605</published>
+ <fixed>20180608</fixed>
+ </lifecycle>
+
+ <reference>
+ <advisory type="CVE" id="2018-11806"/>
+ </reference>
+
+ <repository>
+ <branch>
+ <name>master</name>
+ <tag state="fixed">v3.0.0</tag>
+ <change state="fixed">864036e251f54c99d31df124aad7f34f01f5344c</change>
+ <change state="merged">bac5ba3dc5da706f52c149fa6c0bd1dc96899bec</change>
+ <tag state="vulnerable">v0.6.0</tag>
+ <tag state="vulnerable">v0.6.1</tag>
+ <tag state="vulnerable">v0.7.0</tag>
+ <tag state="vulnerable">v0.7.1</tag>
+ <tag state="vulnerable">v0.8.1</tag>
+ <tag state="vulnerable">v0.8.2</tag>
+ <tag state="vulnerable">v0.9.0</tag>
+ <tag state="vulnerable">v0.9.1</tag>
+ <tag state="vulnerable">v1.0</tag>
+ <tag state="vulnerable">v1.1.0</tag>
+ <tag state="vulnerable">v1.2.0</tag>
+ <tag state="vulnerable">v1.3.0</tag>
+ <tag state="vulnerable">v1.4.0</tag>
+ <tag state="vulnerable">v1.5.0</tag>
+ <tag state="vulnerable">v1.6.0</tag>
+ <tag state="vulnerable">v1.7.0</tag>
+ <tag state="vulnerable">v2.0.0</tag>
+ <tag state="vulnerable">v2.1.0</tag>
+ <tag state="vulnerable">v2.2.0</tag>
+ <tag state="vulnerable">v2.3.0</tag>
+ <tag state="vulnerable">v2.4.0</tag>
+ <tag state="vulnerable">v2.5.0</tag>
+ <tag state="vulnerable">v2.6.0</tag>
+ <tag state="vulnerable">v2.7.0</tag>
+ <tag state="vulnerable">v2.8.0</tag>
+ <tag state="vulnerable">v2.9.0</tag>
+ <tag state="vulnerable">v2.10.0</tag>
+ <tag state="vulnerable">v2.11.0</tag>
+ <tag state="vulnerable">v2.12.0</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-0.10</name>
+ <tag state="vulnerable">v0.10.0</tag>
+ <tag state="vulnerable">v0.10.1</tag>
+ <tag state="vulnerable">v0.10.2</tag>
+ <tag state="vulnerable">v0.10.3</tag>
+ <tag state="vulnerable">v0.10.4</tag>
+ <tag state="vulnerable">v0.10.5</tag>
+ <tag state="vulnerable">v0.10.6</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-0.11</name>
+ <tag state="vulnerable">v0.11.0</tag>
+ <tag state="vulnerable">v0.11.1</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-0.12</name>
+ <tag state="vulnerable">v0.12.0</tag>
+ <tag state="vulnerable">v0.12.1</tag>
+ <tag state="vulnerable">v0.12.2</tag>
+ <tag state="vulnerable">v0.12.3</tag>
+ <tag state="vulnerable">v0.12.4</tag>
+ <tag state="vulnerable">v0.12.5</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-0.13</name>
+ <tag state="vulnerable">v0.13.0</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-0.14</name>
+ <tag state="vulnerable">v0.14.0</tag>
+ <tag state="vulnerable">v0.14.1</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-0.15</name>
+ <tag state="vulnerable">v0.15.0</tag>
+ <tag state="vulnerable">v0.15.1</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-1.0</name>
+ <tag state="vulnerable">v1.0.1</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-1.1</name>
+ <tag state="vulnerable">v1.1.1</tag>
+ <tag state="vulnerable">v1.1.2</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-1.2</name>
+ <tag state="vulnerable">v1.2.1</tag>
+ <tag state="vulnerable">v1.2.2</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-1.3</name>
+ <tag state="vulnerable">v1.3.1</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-1.4</name>
+ <tag state="vulnerable">v1.4.1</tag>
+ <tag state="vulnerable">v1.4.2</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-1.5</name>
+ <tag state="vulnerable">v1.5.1</tag>
+ <tag state="vulnerable">v1.5.2</tag>
+ <tag state="vulnerable">v1.5.3</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-1.6</name>
+ <tag state="vulnerable">v1.6.1</tag>
+ <tag state="vulnerable">v1.6.2</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-1.7</name>
+ <tag state="vulnerable">v1.7.1</tag>
+ <tag state="vulnerable">v1.7.2</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-2.0</name>
+ <tag state="vulnerable">v2.0.1</tag>
+ <tag state="vulnerable">v2.0.2</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-2.1</name>
+ <tag state="vulnerable">v2.1.1</tag>
+ <tag state="vulnerable">v2.1.2</tag>
+ <tag state="vulnerable">v2.1.3</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-2.2</name>
+ <tag state="vulnerable">v2.2.1</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-2.3</name>
+ <tag state="vulnerable">v2.3.1</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-2.4</name>
+ <tag state="vulnerable">v2.4.0.1</tag>
+ <tag state="vulnerable">v2.4.1</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-2.5</name>
+ <tag state="vulnerable">v2.5.1</tag>
+ <tag state="vulnerable">v2.5.1.1</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-2.6</name>
+ <tag state="vulnerable">v2.6.1</tag>
+ <tag state="vulnerable">v2.6.2</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-2.7</name>
+ <tag state="vulnerable">v2.7.1</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-2.8</name>
+ <tag state="vulnerable">v2.8.1</tag>
+ <tag state="vulnerable">v2.8.1.1</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-2.9</name>
+ <tag state="vulnerable">v2.9.1</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-2.10</name>
+ <tag state="vulnerable">v2.10.1</tag>
+ <tag state="vulnerable">v2.10.2</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-2.11</name>
+ <tag state="vulnerable">v2.11.1</tag>
+ <tag state="vulnerable">v2.11.2</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ <branch>
+ <name>stable-2.12</name>
+ <tag state="vulnerable">v2.12.1</tag>
+ <change state="vulnerable">f0cbd3ec9f4a3de1a9ef94deda09704543889f44</change>
+ </branch>
+ </repository>
+
+</security-notice>
new file mode 100644
@@ -0,0 +1,201 @@
+<security-notice xmlns="http://qemu.org/xmlns/security-notice/1.0">
+ <id>2018-007</id>
+
+ <summary>qemu-guest-agent integer overflow reading guest file</summary>
+
+ <description>
+<![CDATA[The QEMU Guest Agent in QEMU is vulnerable to an integer overflow in the
+qmp_guest_file_read(). An attacker could exploit this by sending a crafted QMP
+command (including guest-file-read with a large count value) to the agent via
+the listening socket to trigger a g_malloc() call with a large memory chunk
+resulting in a segmentation fault.]]>
+ </description>
+
+ <impact>
+<![CDATA[A user could use this flaw to crash the QEMU guest agent process resulting in DoS.]]>
+ </impact>
+
+ <mitigation>
+<![CDATA[Disable the QEMU guest agent or blacklist the guest-file-read command]]>
+ </mitigation>
+
+ <credits>
+ <reporter>
+ <name>Fakhri Zulkifli</name>
+ <email>mohdfakhrizulkifli@gmail.com</email>
+ </reporter>
+ <patcher>
+ <name>Prasad J Pandit</name>
+ <email>pjp@fedoraproject.org</email>
+ </patcher>
+ </credits>
+
+ <lifecycle>
+ <reported>20180622</reported>
+ <published>20180622</published>
+ <fixed>20180705</fixed>
+ </lifecycle>
+
+ <reference>
+ <advisory type="CVE" id="2018-12617"/>
+ </reference>
+
+ <repository>
+ <branch>
+ <name>master</name>
+ <tag state="fixed">v3.0.0</tag>
+ <change state="fixed">141b197408ab398c4f474ac1a728ab316e921f2b</change>
+ <change state="merged">8beb8cc64da2868acec270e4becb9fea8f9093dc</change>
+ <tag state="vulnerable">v1.0</tag>
+ <tag state="vulnerable">v1.1.0</tag>
+ <tag state="vulnerable">v1.2.0</tag>
+ <tag state="vulnerable">v1.3.0</tag>
+ <tag state="vulnerable">v1.4.0</tag>
+ <tag state="vulnerable">v1.5.0</tag>
+ <tag state="vulnerable">v1.6.0</tag>
+ <tag state="vulnerable">v1.7.0</tag>
+ <tag state="vulnerable">v2.0.0</tag>
+ <tag state="vulnerable">v2.1.0</tag>
+ <tag state="vulnerable">v2.2.0</tag>
+ <tag state="vulnerable">v2.3.0</tag>
+ <tag state="vulnerable">v2.4.0</tag>
+ <tag state="vulnerable">v2.5.0</tag>
+ <tag state="vulnerable">v2.6.0</tag>
+ <tag state="vulnerable">v2.7.0</tag>
+ <tag state="vulnerable">v2.8.0</tag>
+ <tag state="vulnerable">v2.9.0</tag>
+ <tag state="vulnerable">v2.10.0</tag>
+ <tag state="vulnerable">v2.11.0</tag>
+ <tag state="vulnerable">v2.12.0</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-0.15</name>
+ <tag state="vulnerable">v0.15.0</tag>
+ <tag state="vulnerable">v0.15.1</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-1.0</name>
+ <tag state="vulnerable">v1.0.1</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-1.1</name>
+ <tag state="vulnerable">v1.1.1</tag>
+ <tag state="vulnerable">v1.1.2</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-1.2</name>
+ <tag state="vulnerable">v1.2.1</tag>
+ <tag state="vulnerable">v1.2.2</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-1.3</name>
+ <tag state="vulnerable">v1.3.1</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-1.4</name>
+ <tag state="vulnerable">v1.4.1</tag>
+ <tag state="vulnerable">v1.4.2</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-1.5</name>
+ <tag state="vulnerable">v1.5.1</tag>
+ <tag state="vulnerable">v1.5.2</tag>
+ <tag state="vulnerable">v1.5.3</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-1.6</name>
+ <tag state="vulnerable">v1.6.1</tag>
+ <tag state="vulnerable">v1.6.2</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-1.7</name>
+ <tag state="vulnerable">v1.7.1</tag>
+ <tag state="vulnerable">v1.7.2</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-2.0</name>
+ <tag state="vulnerable">v2.0.1</tag>
+ <tag state="vulnerable">v2.0.2</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-2.1</name>
+ <tag state="vulnerable">v2.1.1</tag>
+ <tag state="vulnerable">v2.1.2</tag>
+ <tag state="vulnerable">v2.1.3</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-2.2</name>
+ <tag state="vulnerable">v2.2.1</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-2.3</name>
+ <tag state="vulnerable">v2.3.1</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-2.4</name>
+ <tag state="vulnerable">v2.4.0.1</tag>
+ <tag state="vulnerable">v2.4.1</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-2.5</name>
+ <tag state="vulnerable">v2.5.1</tag>
+ <tag state="vulnerable">v2.5.1.1</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-2.6</name>
+ <tag state="vulnerable">v2.6.1</tag>
+ <tag state="vulnerable">v2.6.2</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-2.7</name>
+ <tag state="vulnerable">v2.7.1</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-2.8</name>
+ <tag state="vulnerable">v2.8.1</tag>
+ <tag state="vulnerable">v2.8.1.1</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-2.9</name>
+ <tag state="vulnerable">v2.9.1</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-2.10</name>
+ <tag state="vulnerable">v2.10.1</tag>
+ <tag state="vulnerable">v2.10.2</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-2.11</name>
+ <tag state="vulnerable">v2.11.1</tag>
+ <tag state="vulnerable">v2.11.2</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ <branch>
+ <name>stable-2.12</name>
+ <tag state="vulnerable">v2.12.1</tag>
+ <change state="vulnerable">e3d4d25206a13ca48936e4357a53591997ce6d57</change>
+ </branch>
+ </repository>
+
+</security-notice>
new file mode 100644
@@ -0,0 +1,225 @@
+<security-notice xmlns="http://qemu.org/xmlns/security-notice/1.0">
+ <id>2018-008</id>
+
+ <summary>rtl8139 integer overflow accessing buffer</summary>
+
+ <description>
+<![CDATA[Qemu emulator built with the RTL8139 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network.]]>
+ </description>
+
+ <impact>
+<![CDATA[A user inside guest could use this flaw to crash the Qemu process resulting in DoS.]]>
+ </impact>
+
+ <mitigation>
+<![CDATA[Replace use of the RTL8139 network adapter with an alternative model]]>
+ </mitigation>
+
+ <credits>
+ <reporter>
+ <name>Daniel Shapira</name>
+ <email>daniel@twistlock.com</email>
+ </reporter>
+ <patcher>
+ <name>Jason Wang</name>
+ <email>jasonwang@redhat.com</email>
+ </patcher>
+ </credits>
+
+ <lifecycle>
+ <reported>20180521</reported>
+ <published>20180926</published>
+ <fixed></fixed>
+ </lifecycle>
+
+ <reference>
+ <advisory type="CVE" id="2018-17958"/>
+ </reference>
+
+ <repository>
+ <branch>
+ <name>master</name>
+ <tag state="fixed"></tag>
+ <change state="fixed">784b912f722bc86126b290c00de72c1bc8d34950</change>
+ <change state="merged"></change>
+ <tag state="vulnerable">v1.0</tag>
+ <tag state="vulnerable">v1.1.0</tag>
+ <tag state="vulnerable">v1.2.0</tag>
+ <tag state="vulnerable">v1.3.0</tag>
+ <tag state="vulnerable">v1.4.0</tag>
+ <tag state="vulnerable">v1.5.0</tag>
+ <tag state="vulnerable">v1.6.0</tag>
+ <tag state="vulnerable">v1.7.0</tag>
+ <tag state="vulnerable">v2.0.0</tag>
+ <tag state="vulnerable">v2.1.0</tag>
+ <tag state="vulnerable">v2.2.0</tag>
+ <tag state="vulnerable">v2.3.0</tag>
+ <tag state="vulnerable">v2.4.0</tag>
+ <tag state="vulnerable">v2.5.0</tag>
+ <tag state="vulnerable">v2.6.0</tag>
+ <tag state="vulnerable">v2.7.0</tag>
+ <tag state="vulnerable">v2.8.0</tag>
+ <tag state="vulnerable">v2.9.0</tag>
+ <tag state="vulnerable">v2.10.0</tag>
+ <tag state="vulnerable">v2.11.0</tag>
+ <tag state="vulnerable">v2.12.0</tag>
+ <tag state="vulnerable">v3.0.0</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-0.11</name>
+ <tag state="vulnerable">v0.11.0</tag>
+ <tag state="vulnerable">v0.11.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-0.12</name>
+ <tag state="vulnerable">v0.12.0</tag>
+ <tag state="vulnerable">v0.12.1</tag>
+ <tag state="vulnerable">v0.12.2</tag>
+ <tag state="vulnerable">v0.12.3</tag>
+ <tag state="vulnerable">v0.12.4</tag>
+ <tag state="vulnerable">v0.12.5</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-0.13</name>
+ <tag state="vulnerable">v0.13.0</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-0.14</name>
+ <tag state="vulnerable">v0.14.0</tag>
+ <tag state="vulnerable">v0.14.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-0.15</name>
+ <tag state="vulnerable">v0.15.0</tag>
+ <tag state="vulnerable">v0.15.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.0</name>
+ <tag state="vulnerable">v1.0.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.1</name>
+ <tag state="vulnerable">v1.1.1</tag>
+ <tag state="vulnerable">v1.1.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.2</name>
+ <tag state="vulnerable">v1.2.1</tag>
+ <tag state="vulnerable">v1.2.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.3</name>
+ <tag state="vulnerable">v1.3.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.4</name>
+ <tag state="vulnerable">v1.4.1</tag>
+ <tag state="vulnerable">v1.4.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.5</name>
+ <tag state="vulnerable">v1.5.1</tag>
+ <tag state="vulnerable">v1.5.2</tag>
+ <tag state="vulnerable">v1.5.3</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.6</name>
+ <tag state="vulnerable">v1.6.1</tag>
+ <tag state="vulnerable">v1.6.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.7</name>
+ <tag state="vulnerable">v1.7.1</tag>
+ <tag state="vulnerable">v1.7.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.0</name>
+ <tag state="vulnerable">v2.0.1</tag>
+ <tag state="vulnerable">v2.0.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.1</name>
+ <tag state="vulnerable">v2.1.1</tag>
+ <tag state="vulnerable">v2.1.2</tag>
+ <tag state="vulnerable">v2.1.3</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.2</name>
+ <tag state="vulnerable">v2.2.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.3</name>
+ <tag state="vulnerable">v2.3.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.4</name>
+ <tag state="vulnerable">v2.4.0.1</tag>
+ <tag state="vulnerable">v2.4.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.5</name>
+ <tag state="vulnerable">v2.5.1</tag>
+ <tag state="vulnerable">v2.5.1.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.6</name>
+ <tag state="vulnerable">v2.6.1</tag>
+ <tag state="vulnerable">v2.6.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.7</name>
+ <tag state="vulnerable">v2.7.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.8</name>
+ <tag state="vulnerable">v2.8.1</tag>
+ <tag state="vulnerable">v2.8.1.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.9</name>
+ <tag state="vulnerable">v2.9.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.10</name>
+ <tag state="vulnerable">v2.10.1</tag>
+ <tag state="vulnerable">v2.10.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.11</name>
+ <tag state="vulnerable">v2.11.1</tag>
+ <tag state="vulnerable">v2.11.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.12</name>
+ <tag state="vulnerable">v2.12.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ </repository>
+
+</security-notice>
new file mode 100644
@@ -0,0 +1,225 @@
+<security-notice xmlns="http://qemu.org/xmlns/security-notice/1.0">
+ <id>2018-009</id>
+
+ <summary>pcnet integer overflow accessing buffer</summary>
+
+ <description>
+<![CDATA[Qemu emulator built with the AMD PC-Net II (Am79C970A) emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network.]]>
+ </description>
+
+ <impact>
+<![CDATA[A user inside guest could use this flaw to crash the Qemu process resulting in DoS.]]>
+ </impact>
+
+ <mitigation>
+<![CDATA[Replace use of the AMD PC-Net II network adapter with an alternative model]]>
+ </mitigation>
+
+ <credits>
+ <reporter>
+ <name>Daniel Shapira</name>
+ <email>daniel@twistlock.com</email>
+ </reporter>
+ <patcher>
+ <name>Jason Wang</name>
+ <email>jasonwang@redhat.com</email>
+ </patcher>
+ </credits>
+
+ <lifecycle>
+ <reported>20180521</reported>
+ <published>20180926</published>
+ <fixed></fixed>
+ </lifecycle>
+
+ <reference>
+ <advisory type="CVE" id="2018-17962"/>
+ </reference>
+
+ <repository>
+ <branch>
+ <name>master</name>
+ <tag state="fixed"></tag>
+ <change state="fixed">2fc84f6b39577ccd6fd57bdd270902f5098c3a88</change>
+ <change state="merged"></change>
+ <tag state="vulnerable">v1.0</tag>
+ <tag state="vulnerable">v1.1.0</tag>
+ <tag state="vulnerable">v1.2.0</tag>
+ <tag state="vulnerable">v1.3.0</tag>
+ <tag state="vulnerable">v1.4.0</tag>
+ <tag state="vulnerable">v1.5.0</tag>
+ <tag state="vulnerable">v1.6.0</tag>
+ <tag state="vulnerable">v1.7.0</tag>
+ <tag state="vulnerable">v2.0.0</tag>
+ <tag state="vulnerable">v2.1.0</tag>
+ <tag state="vulnerable">v2.2.0</tag>
+ <tag state="vulnerable">v2.3.0</tag>
+ <tag state="vulnerable">v2.4.0</tag>
+ <tag state="vulnerable">v2.5.0</tag>
+ <tag state="vulnerable">v2.6.0</tag>
+ <tag state="vulnerable">v2.7.0</tag>
+ <tag state="vulnerable">v2.8.0</tag>
+ <tag state="vulnerable">v2.9.0</tag>
+ <tag state="vulnerable">v2.10.0</tag>
+ <tag state="vulnerable">v2.11.0</tag>
+ <tag state="vulnerable">v2.12.0</tag>
+ <tag state="vulnerable">v3.0.0</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-0.11</name>
+ <tag state="vulnerable">v0.11.0</tag>
+ <tag state="vulnerable">v0.11.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-0.12</name>
+ <tag state="vulnerable">v0.12.0</tag>
+ <tag state="vulnerable">v0.12.1</tag>
+ <tag state="vulnerable">v0.12.2</tag>
+ <tag state="vulnerable">v0.12.3</tag>
+ <tag state="vulnerable">v0.12.4</tag>
+ <tag state="vulnerable">v0.12.5</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-0.13</name>
+ <tag state="vulnerable">v0.13.0</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-0.14</name>
+ <tag state="vulnerable">v0.14.0</tag>
+ <tag state="vulnerable">v0.14.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-0.15</name>
+ <tag state="vulnerable">v0.15.0</tag>
+ <tag state="vulnerable">v0.15.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.0</name>
+ <tag state="vulnerable">v1.0.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.1</name>
+ <tag state="vulnerable">v1.1.1</tag>
+ <tag state="vulnerable">v1.1.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.2</name>
+ <tag state="vulnerable">v1.2.1</tag>
+ <tag state="vulnerable">v1.2.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.3</name>
+ <tag state="vulnerable">v1.3.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.4</name>
+ <tag state="vulnerable">v1.4.1</tag>
+ <tag state="vulnerable">v1.4.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.5</name>
+ <tag state="vulnerable">v1.5.1</tag>
+ <tag state="vulnerable">v1.5.2</tag>
+ <tag state="vulnerable">v1.5.3</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.6</name>
+ <tag state="vulnerable">v1.6.1</tag>
+ <tag state="vulnerable">v1.6.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-1.7</name>
+ <tag state="vulnerable">v1.7.1</tag>
+ <tag state="vulnerable">v1.7.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.0</name>
+ <tag state="vulnerable">v2.0.1</tag>
+ <tag state="vulnerable">v2.0.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.1</name>
+ <tag state="vulnerable">v2.1.1</tag>
+ <tag state="vulnerable">v2.1.2</tag>
+ <tag state="vulnerable">v2.1.3</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.2</name>
+ <tag state="vulnerable">v2.2.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.3</name>
+ <tag state="vulnerable">v2.3.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.4</name>
+ <tag state="vulnerable">v2.4.0.1</tag>
+ <tag state="vulnerable">v2.4.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.5</name>
+ <tag state="vulnerable">v2.5.1</tag>
+ <tag state="vulnerable">v2.5.1.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.6</name>
+ <tag state="vulnerable">v2.6.1</tag>
+ <tag state="vulnerable">v2.6.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.7</name>
+ <tag state="vulnerable">v2.7.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.8</name>
+ <tag state="vulnerable">v2.8.1</tag>
+ <tag state="vulnerable">v2.8.1.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.9</name>
+ <tag state="vulnerable">v2.9.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.10</name>
+ <tag state="vulnerable">v2.10.1</tag>
+ <tag state="vulnerable">v2.10.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.11</name>
+ <tag state="vulnerable">v2.11.1</tag>
+ <tag state="vulnerable">v2.11.2</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ <branch>
+ <name>stable-2.12</name>
+ <tag state="vulnerable">v2.12.1</tag>
+ <change state="vulnerable">4f1c942b7fb29864ad86cb3af9076da38f38f74e</change>
+ </branch>
+ </repository>
+
+</security-notice>
new file mode 100644
@@ -0,0 +1,223 @@
+<security-notice xmlns="http://qemu.org/xmlns/security-notice/1.0">
+ <id>2018-010</id>
+
+ <summary>Ignore network packet sizes larger than INT_MAX</summary>
+
+ <description>
+<![CDATA[A potential integer overflow issue was found in the QEMU emulator. It could occur when a packet with large packet size is accepted and processed.]]>
+ </description>
+
+ <impact>
+<![CDATA[A user inside guest could use this flaw to crash the Qemu process resulting in DoS.]]>
+ </impact>
+
+ <mitigation>
+<![CDATA[None]]>
+ </mitigation>
+
+ <credits>
+ <reporter>
+ <name>Daniel Shapira</name>
+ <email>daniel@twistlock.com</email>
+ </reporter>
+ <patcher>
+ <name>Jason Wang</name>
+ <email>jasonwang@redhat.com</email>
+ </patcher>
+ </credits>
+
+ <lifecycle>
+ <reported>20180521</reported>
+ <published>20180926</published>
+ <fixed></fixed>
+ </lifecycle>
+
+ <reference>
+ <advisory type="CVE" id="2018-17963"/>
+ </reference>
+
+ <repository>
+ <branch>
+ <name>master</name>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>master</name>
+ <tag state="fixed"></tag>
+ <change state="fixed">36772a6341af7c0f100b8e55a1e779db5fe818da</change>
+ <change state="merged"></change>
+ <tag state="vulnerable">v1.0</tag>
+ <tag state="vulnerable">v1.1.0</tag>
+ <tag state="vulnerable">v1.2.0</tag>
+ <tag state="vulnerable">v1.3.0</tag>
+ <tag state="vulnerable">v1.4.0</tag>
+ <tag state="vulnerable">v1.5.0</tag>
+ <tag state="vulnerable">v1.6.0</tag>
+ <tag state="vulnerable">v1.7.0</tag>
+ <tag state="vulnerable">v2.0.0</tag>
+ <tag state="vulnerable">v2.1.0</tag>
+ <tag state="vulnerable">v2.2.0</tag>
+ <tag state="vulnerable">v2.3.0</tag>
+ <tag state="vulnerable">v2.4.0</tag>
+ <tag state="vulnerable">v2.5.0</tag>
+ <tag state="vulnerable">v2.6.0</tag>
+ <tag state="vulnerable">v2.7.0</tag>
+ <tag state="vulnerable">v2.8.0</tag>
+ <tag state="vulnerable">v2.9.0</tag>
+ <tag state="vulnerable">v2.10.0</tag>
+ <tag state="vulnerable">v2.11.0</tag>
+ <tag state="vulnerable">v2.12.0</tag>
+ <tag state="vulnerable">v3.0.0</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-0.12</name>
+ <tag state="vulnerable">v0.12.0</tag>
+ <tag state="vulnerable">v0.12.1</tag>
+ <tag state="vulnerable">v0.12.2</tag>
+ <tag state="vulnerable">v0.12.3</tag>
+ <tag state="vulnerable">v0.12.4</tag>
+ <tag state="vulnerable">v0.12.5</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-0.13</name>
+ <tag state="vulnerable">v0.13.0</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-0.14</name>
+ <tag state="vulnerable">v0.14.0</tag>
+ <tag state="vulnerable">v0.14.1</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-0.15</name>
+ <tag state="vulnerable">v0.15.0</tag>
+ <tag state="vulnerable">v0.15.1</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-1.0</name>
+ <tag state="vulnerable">v1.0.1</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-1.1</name>
+ <tag state="vulnerable">v1.1.1</tag>
+ <tag state="vulnerable">v1.1.2</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-1.2</name>
+ <tag state="vulnerable">v1.2.1</tag>
+ <tag state="vulnerable">v1.2.2</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-1.3</name>
+ <tag state="vulnerable">v1.3.1</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-1.4</name>
+ <tag state="vulnerable">v1.4.1</tag>
+ <tag state="vulnerable">v1.4.2</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-1.5</name>
+ <tag state="vulnerable">v1.5.1</tag>
+ <tag state="vulnerable">v1.5.2</tag>
+ <tag state="vulnerable">v1.5.3</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-1.6</name>
+ <tag state="vulnerable">v1.6.1</tag>
+ <tag state="vulnerable">v1.6.2</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-1.7</name>
+ <tag state="vulnerable">v1.7.1</tag>
+ <tag state="vulnerable">v1.7.2</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-2.0</name>
+ <tag state="vulnerable">v2.0.1</tag>
+ <tag state="vulnerable">v2.0.2</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-2.1</name>
+ <tag state="vulnerable">v2.1.1</tag>
+ <tag state="vulnerable">v2.1.2</tag>
+ <tag state="vulnerable">v2.1.3</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-2.2</name>
+ <tag state="vulnerable">v2.2.1</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-2.3</name>
+ <tag state="vulnerable">v2.3.1</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-2.4</name>
+ <tag state="vulnerable">v2.4.0.1</tag>
+ <tag state="vulnerable">v2.4.1</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-2.5</name>
+ <tag state="vulnerable">v2.5.1</tag>
+ <tag state="vulnerable">v2.5.1.1</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-2.6</name>
+ <tag state="vulnerable">v2.6.1</tag>
+ <tag state="vulnerable">v2.6.2</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-2.7</name>
+ <tag state="vulnerable">v2.7.1</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-2.8</name>
+ <tag state="vulnerable">v2.8.1</tag>
+ <tag state="vulnerable">v2.8.1.1</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-2.9</name>
+ <tag state="vulnerable">v2.9.1</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-2.10</name>
+ <tag state="vulnerable">v2.10.1</tag>
+ <tag state="vulnerable">v2.10.2</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-2.11</name>
+ <tag state="vulnerable">v2.11.1</tag>
+ <tag state="vulnerable">v2.11.2</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ <branch>
+ <name>stable-2.12</name>
+ <tag state="vulnerable">v2.12.1</tag>
+ <change state="vulnerable">9a6ecb308b1c668fff84d56a356dbd595c51d556</change>
+ </branch>
+ </repository>
+
+</security-notice>
new file mode 100644
@@ -0,0 +1,199 @@
+<security-notice xmlns="http://qemu.org/xmlns/security-notice/1.0">
+ <id>2018-011</id>
+
+ <summary>CCID integer overflow reading data</summary>
+
+ <description>
+<![CDATA[An integer overflow issue was found in the CCID Passthru card device emulation, while reading card data in ccid_card_vscard_read() function. The ccid_card_vscard_read() function accepts a signed integer 'size' argument, which is subsequently used as unsigned size_t value in memcpy(), copying large amounts of memory.
+]]>
+ </description>
+
+ <impact>
+<![CDATA[A user inside guest could use this flaw to crash the Qemu process resulting in DoS.]]>
+ </impact>
+
+ <mitigation>
+<![CDATA[Remove the CCID device emulation from virtual machines]]>
+ </mitigation>
+
+ <credits>
+ <reporter>
+ <name>Arash Tohidi</name>
+ <email>tohidi.arash@gmail.com</email>
+ </reporter>
+ <patcher>
+ <name>Philippe Mathieu-Daudé</name>
+ <email>philmd@redhat.com</email>
+ </patcher>
+ </credits>
+
+ <lifecycle>
+ <reported>20180726</reported>
+ <published>20181011</published>
+ <fixed></fixed>
+ </lifecycle>
+
+ <reference>
+ <advisory type="CVE" id="2018-18438"/>
+ </reference>
+
+ <repository>
+ <branch>
+ <name>master</name>
+ <change state="fixed"></change>
+ <change state="merged"></change>
+ <tag state="fixed"></tag>
+ <tag state="vulnerable">v1.0</tag>
+ <tag state="vulnerable">v1.1.0</tag>
+ <tag state="vulnerable">v1.2.0</tag>
+ <tag state="vulnerable">v1.3.0</tag>
+ <tag state="vulnerable">v1.4.0</tag>
+ <tag state="vulnerable">v1.5.0</tag>
+ <tag state="vulnerable">v1.6.0</tag>
+ <tag state="vulnerable">v1.7.0</tag>
+ <tag state="vulnerable">v2.0.0</tag>
+ <tag state="vulnerable">v2.1.0</tag>
+ <tag state="vulnerable">v2.2.0</tag>
+ <tag state="vulnerable">v2.3.0</tag>
+ <tag state="vulnerable">v2.4.0</tag>
+ <tag state="vulnerable">v2.5.0</tag>
+ <tag state="vulnerable">v2.6.0</tag>
+ <tag state="vulnerable">v2.7.0</tag>
+ <tag state="vulnerable">v2.8.0</tag>
+ <tag state="vulnerable">v2.9.0</tag>
+ <tag state="vulnerable">v2.10.0</tag>
+ <tag state="vulnerable">v2.11.0</tag>
+ <tag state="vulnerable">v2.12.0</tag>
+ <tag state="vulnerable">v3.0.0</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-0.15</name>
+ <tag state="vulnerable">v0.15.0</tag>
+ <tag state="vulnerable">v0.15.1</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-1.0</name>
+ <tag state="vulnerable">v1.0.1</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-1.1</name>
+ <tag state="vulnerable">v1.1.1</tag>
+ <tag state="vulnerable">v1.1.2</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-1.2</name>
+ <tag state="vulnerable">v1.2.1</tag>
+ <tag state="vulnerable">v1.2.2</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-1.3</name>
+ <tag state="vulnerable">v1.3.1</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-1.4</name>
+ <tag state="vulnerable">v1.4.1</tag>
+ <tag state="vulnerable">v1.4.2</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-1.5</name>
+ <tag state="vulnerable">v1.5.1</tag>
+ <tag state="vulnerable">v1.5.2</tag>
+ <tag state="vulnerable">v1.5.3</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-1.6</name>
+ <tag state="vulnerable">v1.6.1</tag>
+ <tag state="vulnerable">v1.6.2</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-1.7</name>
+ <tag state="vulnerable">v1.7.1</tag>
+ <tag state="vulnerable">v1.7.2</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-2.0</name>
+ <tag state="vulnerable">v2.0.1</tag>
+ <tag state="vulnerable">v2.0.2</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-2.1</name>
+ <tag state="vulnerable">v2.1.1</tag>
+ <tag state="vulnerable">v2.1.2</tag>
+ <tag state="vulnerable">v2.1.3</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-2.2</name>
+ <tag state="vulnerable">v2.2.1</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-2.3</name>
+ <tag state="vulnerable">v2.3.1</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-2.4</name>
+ <tag state="vulnerable">v2.4.0.1</tag>
+ <tag state="vulnerable">v2.4.1</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-2.5</name>
+ <tag state="vulnerable">v2.5.1</tag>
+ <tag state="vulnerable">v2.5.1.1</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-2.6</name>
+ <tag state="vulnerable">v2.6.1</tag>
+ <tag state="vulnerable">v2.6.2</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-2.7</name>
+ <tag state="vulnerable">v2.7.1</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-2.8</name>
+ <tag state="vulnerable">v2.8.1</tag>
+ <tag state="vulnerable">v2.8.1.1</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-2.9</name>
+ <tag state="vulnerable">v2.9.1</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-2.10</name>
+ <tag state="vulnerable">v2.10.1</tag>
+ <tag state="vulnerable">v2.10.2</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-2.11</name>
+ <tag state="vulnerable">v2.11.1</tag>
+ <tag state="vulnerable">v2.11.2</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ <branch>
+ <name>stable-2.12</name>
+ <tag state="vulnerable">v2.12.1</tag>
+ <change state="vulnerable">edbb21363fbfe40e050f583df921484cbc31c79d</change>
+ </branch>
+ </repository>
+
+</security-notice>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- secnotice/2018/001.xml | 248 +++++++++++++++++++++++++++++++++++++++++ secnotice/2018/002.xml | 242 ++++++++++++++++++++++++++++++++++++++++ secnotice/2018/003.xml | 191 +++++++++++++++++++++++++++++++ secnotice/2018/004.xml | 243 ++++++++++++++++++++++++++++++++++++++++ secnotice/2018/005.xml | 225 +++++++++++++++++++++++++++++++++++++ secnotice/2018/006.xml | 247 ++++++++++++++++++++++++++++++++++++++++ secnotice/2018/007.xml | 201 +++++++++++++++++++++++++++++++++ secnotice/2018/008.xml | 225 +++++++++++++++++++++++++++++++++++++ secnotice/2018/009.xml | 225 +++++++++++++++++++++++++++++++++++++ secnotice/2018/010.xml | 223 ++++++++++++++++++++++++++++++++++++ secnotice/2018/011.xml | 199 +++++++++++++++++++++++++++++++++ 11 files changed, 2469 insertions(+) create mode 100644 secnotice/2018/001.xml create mode 100644 secnotice/2018/002.xml create mode 100644 secnotice/2018/003.xml create mode 100644 secnotice/2018/004.xml create mode 100644 secnotice/2018/005.xml create mode 100644 secnotice/2018/006.xml create mode 100644 secnotice/2018/007.xml create mode 100644 secnotice/2018/008.xml create mode 100644 secnotice/2018/009.xml create mode 100644 secnotice/2018/010.xml create mode 100644 secnotice/2018/011.xml