Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

An error occurred while submitting your form. Please try again or file a bug report. Close

  1. Blog
  2. Article

Robbie
on 13 May 2015

Ubuntu Security Update on VENOM (CVE-2015-3456) [UPDATED]

A buffer overflow in the virtual floppy disk controller of QEMU has been discovered. An attacker could use this issue to cause QEMU to crash or execute arbitrary code in the host’s QEMU process.

This issue is mitigated in a couple ways on Ubuntu when using libvirt to manage QEMU virtual machines, which includes OpenStack’s use of QEMU. The QEMU process in the host environment is owned by a special libvirt-qemu user which helps to limit access to resources in the host environment. Additionally, the QEMU process is confined by an AppArmor profile that significantly lessens the impact of a vulnerability such as VENOM by reducing the host environment’s attack surface.

A fix for this issue has been committed in the upstream QEMU source code tracker. Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 14.10, and Ubuntu 15.04 are affected. To address the issue, ensure that qemu-kvm 1.0+noroms-0ubuntu14.22 (Ubuntu 12.04 LTS), qemu 2.0.0+dfsg-2ubuntu1.11 (Ubuntu 14.04 LTS), qemu 2.1+dfsg-4ubuntu6.6 (Ubuntu 14.10), qemu 1:2.2+dfsg-5expubuntu9.1 (Ubuntu 15.04) are installed.

For reference, the Ubuntu Security Notices website is the best place to find information on security updates and the affected supported releases of Ubuntu.  Users can get notifications via email and RSS feeds from the USN site, as well as access the Ubuntu CVE Tracker.

Related posts

David Beamonte
19 December 2025

A better way to provision NVIDIA BlueField DPUs at scale with MAAS

Cloud and server MAAS

The recent release of MAAS 3.7 introduces a significant new capability: the ability to provision NVIDIA BlueField Data Processing Units (DPUs) directly through their Baseboard Management Controller (BMC), ...

Philip Williams
19 December 2025

MicroCeph: why it’s the superior MinIO alternative (and how to use it)

Ceph Article

Recently, the team at MinIO moved the open source project into maintenance mode and will no longer accept any changes. That means that no new features or enhancements will be added to MinIO, and existing issues — according to the update — will not be actively considered. Whilst MinIO brought a solid developer-friendly approach to ...

Graham Morrison
18 December 2025

Design and Documentation clinics at FOSDEM Fringe 2026

Ubuntu Article

FOSDEM is one of the biggest and most exciting open source events of the year, held at the Solbosch campus of the Université Libre de Bruxelles (Brussels), Belgium. Thousands of open source contributors and enthusiasts attend, often with several folks from Canonical among them. The next one is coming quickly, with FOSDEM 2026 being held ...