[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: qemu: CVE-2016-7116

Hi Thorsten,
On Sun, Sep 04, 2016 at 05:23:40PM +0200, Thorsten Alteholz wrote:
> Hi Hugo,
> are you aware that this CVE is marked as <no-dsa> in Jessie and soon will be
> in Wheezy as well.
> So unless you disagree with this <no-dsa>, it would be better to avoid any
> potential regression and not upload qemu or qemu-kvm.

no-dsa should be used very scarcely in LTS since we don't have a s-p-u
to fix minor issues and reading the RedHat entry[1]:

"A privileged user inside guest could use this flaw to access undue
files on the host."

I think we should well fix this vulnerability.
 -- Guido

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7116

Reply to: