Re: qemu: CVE-2016-7116
On Sun, Sep 04, 2016 at 05:23:40PM +0200, Thorsten Alteholz wrote:
> Hi Hugo,
> are you aware that this CVE is marked as <no-dsa> in Jessie and soon will be
> in Wheezy as well.
> So unless you disagree with this <no-dsa>, it would be better to avoid any
> potential regression and not upload qemu or qemu-kvm.
no-dsa should be used very scarcely in LTS since we don't have a s-p-u
to fix minor issues and reading the RedHat entry:
"A privileged user inside guest could use this flaw to access undue
files on the host."
I think we should well fix this vulnerability.