Ubuntu
qemu package

Is 2.5+dfsg-5ubuntu10.46 compatible with Ubuntu 14.04 OS. If so do we need any specific kernel version with ubuntu 14.04?

Asked by bk160f

We came across some security vulnerabilities in the qemu version 10.39 which we are using. And to remediate, we need to upgrade the Qemu version to 2.5+dfsg-5ubuntu10.46.
My question is qemu version 2.5+dfsg-5ubuntu10.46 is compatible with Ubuntu 14.04 or not?
If it is compatible do we need any specific kernel version with Ubuntu 14.04?

Regards,
Bharani.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu qemu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

Ubuntu 14.04 is no longer supported in any way by anyone. It is EOL (End of life) fpr standard support
https://wiki.ubuntu.com/Releases

I suggest you wipe the install off and do a clean install of Focal (Ubuntu 20.04). This is the latest LTS release and is supported until April 2025

Revision history for this message
Manfred Hampl (m-hampl) said : 		#2

@actionparsnip: Ubuntu 14.04 is still in status (paid option for security updates on servers), so there is still (limited) support.

@bk160f: Do you have an ESM subscription for the system in question?

An attempt to install a package for a later Ubuntu release will probably fail with unmet dependencies (the kernel version usually does not matter, but other packages with libraries might need a higher version than the one available in Ubuntu 14.04).

I am not aware of a qemu version 10.39 in Ubuntu. The only thing similar to this numbers is version 1:2.5+dfsg-5ubuntu10.39 which is a version for xenial (Ubuntu 16.04). This does not fit to the release "Ubuntu 14.04" mentioned in your question title.

For diagnostic purposes, what is the output of the commands

uname -a
lsb_release -crid
apt-cache policy qemu

Revision history for this message
bk160f (bk160f) said : 		#3

We have Ubuntu14.04 in production. And there is no plans to change the OS.
Could you please let me know if Qemu version to 2.5+dfsg-5ubuntu10.46 is backward compatible/works with Ubuntu 14.04 OS.

Regards,
Bharani..

Revision history for this message
Manfred Hampl (m-hampl) said : 		#4

For diagnostic purposes, what is the output of the commands

uname -a
lsb_release -crid
apt-cache policy qemu

Revision history for this message
bk160f (bk160f) said : 		#5

root@mtn92r03c008:~# uname -a
Linux mtn92r03c008.mtn92.cci.att.com 3.13.0-166-generic #216-Ubuntu SMP Thu Feb 7 14:07:53 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
root@mtn92r03c008:~# lsb_release -crid
Distributor ID: Ubuntu
Description: Ubuntu 14.04.6 LTS
Release: 14.04
Codename: trusty
root@mtn92r03c008:~# apt-cache policy qemu
qemu:
  Installed: (none)
  Candidate: 1:2.5+dfsg-5ubuntu10.39~u14.04+mos1
  Version table:
     1:2.5+dfsg-5ubuntu10.39~u14.04+mos1 0
       1170 http://172.29.214.139:8889/aic-mos/stable/3.0.3/RC22/infra-mirror-9.0-master/ trusty/main amd64 Packages
     1:2.3+dfsg-5~u14.04+mos2 0
       1170 http://172.29.214.139:8889/aic-mos/stable/3.0.3/RC22/infra-mirror-9.0-master/ trusty/main amd64 Packages
     2.0.0+dfsg-2ubuntu1.44 0
       1001 http://172.29.214.139:8887/ubuntu/ trusty/main amd64 Packages
root@mtn92r03c008:~#

Revision history for this message
Manfred Hampl (m-hampl) said : 		#6

The installation candidate of qemu (1:2.5+dfsg-5ubuntu10.39~u14.04+mos1) on your system is coming from a foreign repository. This is outside the area of responsibility of Ubuntu/Canonical.

If you have questions about such version, then you have to ask the provider of that foreign source.

And:
"We have Ubuntu14.04 in production. And there is no plans to change the OS."
You will have to change the OS by April 2022 latest, because that is the end date of ESM support for Ubuntu 14.04.

If you do not already have a current ESM subscription for the system in question, then you are already running without support (no patches and bug fixes, not even for critical vulnerabilities).

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#7

I'd suggest you start to make a plan to migrate. It can be painful, it can be easy. It'll need doing at some point soon and planning your strategy is wise

Revision history for this message
bk160f (bk160f) said : 		#8

Thanks for your response..

I am checking with Mirantis to understand if it is just naming change or the qemu code is customized in this version.
We are trying to pull some fixes for CVE's related to Qemu code.
CVE-2020-14364
CVE-2020-13659
CVE-2020-13754
CVE-2020-13362
CVE-2020-13361
CVE-2020-13253
Below is what I find for the CVE’s above :
https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-13754.html
Package
Source: qemu (LP Ubuntu Debian)
Upstream: needs-triage
Ubuntu 12.04 ESM (Precise Pangolin): DNE
Ubuntu 14.04 ESM (Trusty Tahr): needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):
released (1:2.5+dfsg-5ubuntu10.45)
Ubuntu 18.04 LTS (Bionic Beaver):
released (1:2.11+dfsg-1ubuntu7.31)
Ubuntu 20.04 LTS (Focal Fossa):
released (1:4.2-3ubuntu6.4)
Ubuntu 20.10 (Groovy Gorilla):
not-affected (1:5.0-5ubuntu4)

It is the same case for the other CVE’s.
Incase of Ubuntu 14.04 ESM (Trsuty Tahr): needs-triage

I hope this means the CVE fixes are not propagated or compatible with Ubuntu14.04.

Please share your thoughts on my above observation.

Regards,
Bharani..

Can you help with this problem?

Provide an answer of your own, or ask bk160f for more information if necessary.

To post a message you must log in.