Re: Qemu CVEs in Xen
On Mon, Dec 26, 2016 at 08:04:29PM +0100, Hugo Lefeuvre wrote:
> Hi Moritz,
>
> > That doesn't make sense. Only a very small subset of the qemu copy
> > is security-relavant in Xen and if that happens they've usually
> > published an XSA advisory for it.
>
> XSA advisories are published for stable versions, which is not the
> case of the version in wheezy. So, IMO it makes sense, at least for
> CVEs published after 2013.
Well, the same wasn't true when 4.0 was covered by Xen upstream support
either.
> What are you meaning with "only a very small subset of the qemu copy is
> security-relavant in Xen" ?
Unless you can show that a security issue in the qemu code copy affects
Xen, don't add it to src:xen in the security tracker. Right now you're
really messing up the entries for src:xen with highly questionable data.
Cheers,
Moritz
Reply to: