Re: working for wheezy-security until wheezy-lts starts

To: Guido Günther <agx@sigxcpu.org>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, Mike Gabriel <sunweaver@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: working for wheezy-security until wheezy-lts starts
From: Brian May <bam@debian.org>
Date: Wed, 16 Mar 2016 14:27:15 +1100
Message-id: <[🔎] 87fuvrw19o.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] 20160313115209.GA6851@bogon.m.sigxcpu.org>
References: <20160229152546.Horde.bUTfXxHSPmDu0AWwU5x1bGj@mail.das-netzwerkteam.de> <[🔎] 20160303175559.GA22478@pisco.westfalen.local> <[🔎] 87y49n9qvo.fsf@prune.linuxpenguins.xyz> <[🔎] 20160313115209.GA6851@bogon.m.sigxcpu.org>

Guido Günther <agx@sigxcpu.org> writes:>

> Sid has Xen 4.6 and looking at the CVEs that affect sid the patches
> don't seem to be applied so the tracker looks correct, there's plenty of
> work left.
>
> Are you going to look at the Wheezy packages?

Looking now.

Just looking at CVE-2015-2756 - this appears to be a vulnerability in
qemu - not xen - and squeeze and wheezy are not affected.

https://security-tracker.debian.org/tracker/CVE-2015-2756

Looking at xen in jessie, there is no changelog entry mentioning
CVE-2015-2756; although it is marked as fixed.

The closest I can find is https://bugs.debian.org/781620 and this
doesn't mention how CVE-2015-2756 was fixed.

The only reason xen appears to be mentioned is because it can use a
vulnerable version of qemu; It doesn't appear to have the vulnerable
code itself.

See: http://xenbits.xen.org/xsa/advisory-126.html

So I am wondering if I can just mark xen in squeeze and wheezy as not
being affected by CVE-2015-2756 too?
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: working for wheezy-security until wheezy-lts starts
  - From: Brian May <bam@debian.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Guido Günther <agx@sigxcpu.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Moritz Muehlenhoff <jmm@inutil.org>

References:
- Re: working for wheezy-security until wheezy-lts starts
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Brian May <bam@debian.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Guido Günther <agx@sigxcpu.org>

Prev by Date: Re: working for wheezy-security until wheezy-lts starts
Next by Date: Re: working for wheezy-security until wheezy-lts starts
Previous by thread: Re: working for wheezy-security until wheezy-lts starts
Next by thread: Re: working for wheezy-security until wheezy-lts starts
Index(es):
- Date
- Thread