[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of qemu?

On Mon, 2016-06-13 at 18:23 +0300, Michael Tokarev wrote:
> 06.06.2016 04:37, Ben Hutchings wrote:
> > Hello dear maintainer(s),
> > 
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of qemu:
> > https://security-tracker.debian.org/tracker/CVE-2016-3710
> > https://security-tracker.debian.org/tracker/CVE-2016-3712
> > https://security-tracker.debian.org/tracker/CVE-2016-5238
> Why these 3?  I can see why you want to fix the 2 VGA vulns
> (3710 & 3712 above), but 5238?  Note that while the bug might
> look more or less serious, the device in question is not a
> very commonly used one.  I don't know if it is used at all.
> More, this prob is nearly impossibe to hit in practice.

I assume most guests don't need a SCSI controller at all and that
virtio_scsi is the preferred model where the guest OS supports it.  But
I have little idea what proportion of guests need some other model or
which models they use.  I erred on the side of caution.

> And even more, this prob isn't fixed in sid yet, as of today
> the fix hasn't landed in upstream git still.

I realise it's not in sid, though I assumed these patches had gone


> VGA bugs are worth to fix for sure.
> /mjt
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: