Re: Qemu CVEs in Xen

To: Hugo Lefeuvre <hle@debian.org>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: Qemu CVEs in Xen
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Mon, 26 Dec 2016 20:21:49 +0100
Message-id: <[🔎] 20161226192149.rj3tpskgxyln2cgs@pisco.westfalen.local>
In-reply-to: <[🔎] 20161226190429.zralyjdg33flw5la@hle.local>
References: <20161030113043.drkvg6tpheg3wkyw@bogon.m.sigxcpu.org> <20161030121457.kvndk24mvsbbafpj@hle.local> <20161104082135.7mbwnzzswxcbahfo@bogon.m.sigxcpu.org> <20161125091953.3kvk7ltg2esz7jdj@home.ouaza.com> <20161125234605.6wcrhtd5glraormf@hle.local> <20161129091850.jcn3tt6mwf7zcm52@hle.local> <[🔎] 20161226160415.zwzl25ktpqfte4r2@pisco.westfalen.local> <[🔎] 20161226190429.zralyjdg33flw5la@hle.local>

On Mon, Dec 26, 2016 at 08:04:29PM +0100, Hugo Lefeuvre wrote:
> Hi Moritz,
> 
> > That doesn't make sense. Only a very small subset of the qemu copy
> > is security-relavant in Xen and if that happens they've usually
> > published an XSA advisory for it.
> 
> XSA advisories are published for stable versions, which is not the
> case of the version in wheezy. So, IMO it makes sense, at least for
> CVEs published after 2013.

Well, the same wasn't true when 4.0 was covered by Xen upstream support
either.

> What are you meaning with "only a very small subset of the qemu copy is
> security-relavant in Xen" ?

Unless you can show that a security issue in the qemu code copy affects
Xen, don't add it to src:xen in the security tracker. Right now you're
really messing up the entries for src:xen with highly questionable data.

Cheers,
        Moritz

Reply to:

References:
- Re: Qemu CVEs in Xen
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Qemu CVEs in Xen
  - From: Hugo Lefeuvre <hle@debian.org>

Prev by Date: Re: Testing Asterisk for Wheezy LTS
Next by Date: Re: Testing Asterisk for Wheezy LTS
Previous by thread: Re: Qemu CVEs in Xen
Next by thread: Wheezy update of libphp-phpmailer?
Index(es):
- Date
- Thread