Re: working for wheezy-security until wheezy-lts starts
Guido Günther <email@example.com> writes:>
> Sid has Xen 4.6 and looking at the CVEs that affect sid the patches
> don't seem to be applied so the tracker looks correct, there's plenty of
> work left.
> Are you going to look at the Wheezy packages?
Just looking at CVE-2015-2756 - this appears to be a vulnerability in
qemu - not xen - and squeeze and wheezy are not affected.
Looking at xen in jessie, there is no changelog entry mentioning
CVE-2015-2756; although it is marked as fixed.
The closest I can find is https://bugs.debian.org/781620 and this
doesn't mention how CVE-2015-2756 was fixed.
The only reason xen appears to be mentioned is because it can use a
vulnerable version of qemu; It doesn't appear to have the vulnerable
So I am wondering if I can just mark xen in squeeze and wheezy as not
being affected by CVE-2015-2756 too?
Brian May <firstname.lastname@example.org>