[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: xen_4.1.6.1-1+deb7u2.dsc

On Fri, Jul 29, 2016 at 01:26:22PM +0200, Bastian Blank wrote:
> Hi Guido
> On Fri, Jul 29, 2016 at 01:13:33PM +0200, Guido Günther wrote:
> > * the complete removal of tools/ioemu-qemu-xen - guess this was unused
> >   anyway since quiet some time, right?
> I have no idea and found not one reference to that folder.
> > * there are some XSA related patches in debian/patches. Will these move
> >   into
> >       https://github.com/credativ/xen-lts/
> >   eventually?
> I think I forgot to delete some.  The rest most likely won't as it is
> either qemu or libxl.
> > If Brian has no objections feel free to upload, Please let me know once
> > done so I can then release the DLA (in case you don't want to handle it
> > youself).
> I have no idea how to do that yet.  So feel free.

Thanks for uploading! I've put out the DSA and marked XSA-166 as fixed
in the tracker (since it has no CVE assigned). The tracker lists these

CVE-2016-5403	virtio: unbounded memory allocation on host via guest leading to DoS
CVE-2016-5242	The p2m_teardown function in arch/arm/p2m.c in Xen 4.4.x through 4.6.x ...
CVE-2016-4963	The libxl device-handling in Xen through 4.6.x allows local guest OS ...
CVE-2016-4962   The libxl device-handling in Xen 4.6.x and earlier allows local OS ...

as affecting Wheezy. I've marked CVE-2016-5242 as not-affected since we
don't have ARM xen in wheezy. What about the other ones?

 -- Guido

Reply to: