On Mon, 2016-06-13 at 20:28 +0300, Michael Tokarev wrote: > 13.06.2016 19:55, Ben Hutchings wrote: > > On Mon, 2016-06-13 at 18:23 +0300, Michael Tokarev wrote: > > > 06.06.2016 04:37, Ben Hutchings wrote: > > > > Hello dear maintainer(s), > > > > > > > > the Debian LTS team would like to fix the security issues which are > > > > currently open in the Wheezy version of qemu: > > > > https://security-tracker.debian.org/tracker/CVE-2016-3710 > > > > https://security-tracker.debian.org/tracker/CVE-2016-3712 > > > > https://security-tracker.debian.org/tracker/CVE-2016-5238 > > > > > > Why these 3? I can see why you want to fix the 2 VGA vulns > > > (3710 & 3712 above), but 5238? Note that while the bug might > > > look more or less serious, the device in question is not a > > > very commonly used one. I don't know if it is used at all. > > > More, this prob is nearly impossibe to hit in practice. > > > > I assume most guests don't need a SCSI controller at all and that > > virtio_scsi is the preferred model where the guest OS supports it. But > > I have little idea what proportion of guests need some other model or > > which models they use. I erred on the side of caution. > > It is not "a SCSI controller", it is a less-used one. Usually > it is lsi logic controller (which is also emulated by virtualbox > and some other virt solutions, so might be used after migration > from these), or, at least, megasas. > > JFYI :) I've now marked -5238 and -5338 (also in esp) as minor issues not requiring a DSA/DLA. Ben. -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams
Attachment:
signature.asc
Description: This is a digitally signed message part