Re: Unsupported packages for Wheezy LTS
On Tue, May 17, 2016 at 12:13:29PM -0400, Antoine Beaupré wrote:
> On 2016-05-13 09:00:59, Antoine Beaupré wrote:
> > So if we're going to do this painful work, might as well maintain some
> > qemu interface in wheezy as well. I am not sure I see what additional
> > cost this would bring: although the attack surface is larger on qemu and
> > Xen uses only some parts of the Qemu codebase, disclosed vulnerabilities
> > concern mostly HVM support in Xen, and not the "unused from Xen" qemu
> > codebase...
> >
> > But yeah, this seems exactly stuff that our sponsored Xen support team
> > should look into. ;)
>
> Did anyone contact the sponsored xen support team yet? How *do* we
> contact those folks anyways?
>
> An almost textbook example of the problems we're talking about here:
>
> http://xenbits.xen.org/xsa/advisory-179.html
>
> Was marked as EOL in wheezy, but completely ignored the fact that it is
> a Xen advisory, and that Xen *is* vulnerable!
I think this should not be marked EOL. Should we decide to not support
QEMU (standalong) in Wheezy this does not mean we also won't support the
embedded QEMU in XEN (since it's only a subset). These are separate
things.
> https://security-tracker.debian.org/CVE-2016-3712
> https://security-tracker.debian.org/CVE-2016-3710
>
> I would be tempted to mark this as no-dsa in wheezy because in this
> case, the default video mode is not vulnerable, but what should we do in
> a case like this? If we do not support Qemu standalone, we probably
> can't support Qemu in Xen either, which means parts of the Xen
> functionality is not supported (HVM, for example).
I read no-dsa as "does not warrant a dsa on its own but might be fixed in
an upcoming upload" - so this would likely be the right status.
> How do we inform our users that Xen is supported but HVM is not? Is that
> a thing we do?
We do support HVM XEN via the support we got on board for XEN - at least
I've not heard/read anything that would support otherwise.
Cheers,
-- Guido
Reply to: