Re: working for wheezy-security until wheezy-lts starts
Guido Günther <agx@sigxcpu.org> writes:>
> Sid has Xen 4.6 and looking at the CVEs that affect sid the patches
> don't seem to be applied so the tracker looks correct, there's plenty of
> work left.
>
> Are you going to look at the Wheezy packages?
Looking now.
Just looking at CVE-2015-2756 - this appears to be a vulnerability in
qemu - not xen - and squeeze and wheezy are not affected.
https://security-tracker.debian.org/tracker/CVE-2015-2756
Looking at xen in jessie, there is no changelog entry mentioning
CVE-2015-2756; although it is marked as fixed.
The closest I can find is https://bugs.debian.org/781620 and this
doesn't mention how CVE-2015-2756 was fixed.
The only reason xen appears to be mentioned is because it can use a
vulnerable version of qemu; It doesn't appear to have the vulnerable
code itself.
See: http://xenbits.xen.org/xsa/advisory-126.html
So I am wondering if I can just mark xen in squeeze and wheezy as not
being affected by CVE-2015-2756 too?
--
Brian May <bam@debian.org>
Reply to: