Skip to content

fix CVE for qemu #667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rshanm8x wants to merge 1 commit into
base: 3.0-dev
Choose a base branch
from
Open

fix CVE for qemu #667

rshanm8x wants to merge 1 commit into from

Conversation

@rshanm8x
Copy link
Contributor

@rshanm8x rshanm8x commented Jan 8, 2026

Merge Checklist

All boxes should be checked before merging the PR

  • The changes in the PR have been built and tested
  • cgmanifest file has been updated if required
  • Ready to merge

Description

[Black Duck] Security vulnerabilities (CVE-2025-54566, CVE-2025-54567) were detected in qemu-9.1.0-5.emt3.
QEMU has been upgraded to resolve the reported issues.

Any Newly Introduced Dependencies

How Has This Been Tested?

Created rpm and uploaded to BDBA scan and found no CVEs.
image

@rshanm8x
fix CVE for qemu
9c0df3f 
- Upgrade qemu version 9.1.0 to 10.0.4
- Fix CVE-2025-54566 and CVE-2025-54567

Signed-off-by: RajeshX Shanmugam <[email protected]>
@rshanm8x
Copy link
Contributor Author

rshanm8x commented Jan 12, 2026
edited
Loading

Specs & Delta build looks fine, no issues. Job links added in JIRA ITEP-83587

@rshanm8x rshanm8x marked this pull request as ready for review January 12, 2026 13:07
@rshanm8x rshanm8x requested a review from a team as a code owner January 12, 2026 13:07
@rshanm8x rshanm8x self-assigned this Jan 12, 2026
@andy-vm
Copy link
Contributor

andy-vm commented Jan 13, 2026
edited
Loading

  • please provide justification for the version bump, is it only for CVE fix?
  • Are these changes tested in Ubuntu BKC?

andy-vm
andy-vm requested changes Jan 13, 2026
View reviewed changes
Copy link
Contributor

@andy-vm andy-vm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a best practice, we refrain from making bulk updates in a single PR.

@rshanm8x
Copy link
Contributor Author

rshanm8x commented Jan 13, 2026

  • please provide justification for the version bump, is it only for CVE fix?
  • Are these changes tested in Ubuntu BKC?
  • Yes, the version bump was done specifically to address the CVE fix.
  • Initially, we attempted to resolve the issue using a patch-level update. However, this approach did not work due to code compatibility issues between versions 10.0.4 and 9.1.0.
  • The available patch was created against version 10.0.4 and backporting it to 9.1.0 was not feasible. As a result, a version bump was required to incorporate the fix correctly.

Regarding Ubuntu BKC testing:

  • The changes have not been validated against Ubuntu BKC.
  • I was not previously aware of the Ubuntu BKC requirement for this change.
  • Could you please share any relevant references or documentation so we can review and align with the expected validation process?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andy-vm andy-vm andy-vm requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@rshanm8x rshanm8x

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rshanm8x @andy-vm