[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: working for wheezy-security until wheezy-lts starts

Guido Günther <agx@sigxcpu.org> writes:>

> Sid has Xen 4.6 and looking at the CVEs that affect sid the patches
> don't seem to be applied so the tracker looks correct, there's plenty of
> work left.
> Are you going to look at the Wheezy packages?

Looking now.

Just looking at CVE-2015-2756 - this appears to be a vulnerability in
qemu - not xen - and squeeze and wheezy are not affected.


Looking at xen in jessie, there is no changelog entry mentioning
CVE-2015-2756; although it is marked as fixed.

The closest I can find is https://bugs.debian.org/781620 and this
doesn't mention how CVE-2015-2756 was fixed.

The only reason xen appears to be mentioned is because it can use a
vulnerable version of qemu; It doesn't appear to have the vulnerable
code itself.

See: http://xenbits.xen.org/xsa/advisory-126.html

So I am wondering if I can just mark xen in squeeze and wheezy as not
being affected by CVE-2015-2756 too?
Brian May <bam@debian.org>

Reply to: