Re: xen_4.1.6.1-1+deb7u2.dsc
On Fri, Jul 29, 2016 at 01:26:22PM +0200, Bastian Blank wrote:
> Hi Guido
>
> On Fri, Jul 29, 2016 at 01:13:33PM +0200, Guido Günther wrote:
> > * the complete removal of tools/ioemu-qemu-xen - guess this was unused
> > anyway since quiet some time, right?
>
> I have no idea and found not one reference to that folder.
>
> > * there are some XSA related patches in debian/patches. Will these move
> > into
> > https://github.com/credativ/xen-lts/
> > eventually?
>
> I think I forgot to delete some. The rest most likely won't as it is
> either qemu or libxl.
>
> > If Brian has no objections feel free to upload, Please let me know once
> > done so I can then release the DLA (in case you don't want to handle it
> > youself).
>
> I have no idea how to do that yet. So feel free.
Thanks for uploading! I've put out the DSA and marked XSA-166 as fixed
in the tracker (since it has no CVE assigned). The tracker lists these
CVE-2016-5403 virtio: unbounded memory allocation on host via guest leading to DoS
CVE-2016-5242 The p2m_teardown function in arch/arm/p2m.c in Xen 4.4.x through 4.6.x ...
CVE-2016-4963 The libxl device-handling in Xen through 4.6.x allows local guest OS ...
CVE-2016-4962 The libxl device-handling in Xen 4.6.x and earlier allows local OS ...
as affecting Wheezy. I've marked CVE-2016-5242 as not-affected since we
don't have ARM xen in wheezy. What about the other ones?
Cheers,
-- Guido
Reply to: