On Mon, 2016-06-13 at 18:23 +0300, Michael Tokarev wrote: > 06.06.2016 04:37, Ben Hutchings wrote: > > Hello dear maintainer(s), > > > > the Debian LTS team would like to fix the security issues which are > > currently open in the Wheezy version of qemu: > > https://security-tracker.debian.org/tracker/CVE-2016-3710 > > https://security-tracker.debian.org/tracker/CVE-2016-3712 > > https://security-tracker.debian.org/tracker/CVE-2016-5238 > > Why these 3? I can see why you want to fix the 2 VGA vulns > (3710 & 3712 above), but 5238? Note that while the bug might > look more or less serious, the device in question is not a > very commonly used one. I don't know if it is used at all. > More, this prob is nearly impossibe to hit in practice. I assume most guests don't need a SCSI controller at all and that virtio_scsi is the preferred model where the guest OS supports it. But I have little idea what proportion of guests need some other model or which models they use. I erred on the side of caution. > And even more, this prob isn't fixed in sid yet, as of today > the fix hasn't landed in upstream git still. I realise it's not in sid, though I assumed these patches had gone upstream: https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg00150.html Ben. > VGA bugs are worth to fix for sure. > > /mjt -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams
Attachment:
signature.asc
Description: This is a digitally signed message part