File _patchinfo of Package patchinfo.42023

<patchinfo incident="42023">
  <issue tracker="bnc" id="1254286">cockpit - Virtual machines - Import VM - import qcow2 image failed and it fails to start because of missing 'qemu-hw-display-virtio-gpu' and 'qemu-hw-display-virtio-gpu-pci'</issue>
  <issue tracker="bnc" id="1252768">qemu-system-x86 exists with SIGSEV while installing SLES16 via remote ISO image</issue>
  <issue tracker="bnc" id="1250984">VUL-0: CVE-2025-11234: qemu: qemu-kvm: use-after-free in websocket handshake code can lead to denial of service</issue>
  <issue tracker="bnc" id="1253002">VUL-0: CVE-2025-12464: qemu: net: pad packets to minimum length in qemu_receive_packet()</issue>
  <issue tracker="cve" id="2025-11234"/>
  <issue tracker="cve" id="2025-12464"/>
  <packager>dfaggioli</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for qemu</summary>
  <description>This update for qemu fixes the following issues:

Security issues fixed:

- CVE-2025-12464: stack-based buffer overflow in the e1000 network device operations can be exploited by a malicious
  guest user to crash the QEMU process on the host (bsc#1253002).
- CVE-2025-11234: use-after-free in WebSocket handshake operations can be exploited by a malicious client with network
  access to the VNC WebSocket port to cause a denial-of-service (bsc#1250984).

Other updates and bugfixes:
 
- [openSUSE][RPM]: really fix *-virtio-gpu-pci dependency on ARM (bsc#1254286).
- block/curl: fix curl internal handles handling (bsc#1252768).
</description>
</patchinfo>