Re: qemu: CVE-2016-7116

To: Thorsten Alteholz <debian@alteholz.de>
Cc: Hugo Lefeuvre <hle@debian.org>, debian-lts@lists.debian.org
Subject: Re: qemu: CVE-2016-7116
From: Guido Günther <agx@sigxcpu.org>
Date: Sun, 4 Sep 2016 19:46:29 +0200
Message-id: <[🔎] 20160904174629.ol7wwfbhlhumyixn@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Thorsten Alteholz <debian@alteholz.de>, Hugo Lefeuvre <hle@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] alpine.DEB.2.02.1609041718450.30295@jupiter.server.alteholz.net>
References: <[🔎] 20160902101216.ehmavdmk747yyvih@hle.local> <[🔎] 20160903155500.pdf6v7xwrgvpzaf2@bogon.m.sigxcpu.org> <[🔎] 20160904112556.oocrabkpcwhbjnr3@hle.local> <[🔎] alpine.DEB.2.02.1609041718450.30295@jupiter.server.alteholz.net>

Hi Thorsten,
On Sun, Sep 04, 2016 at 05:23:40PM +0200, Thorsten Alteholz wrote:
> Hi Hugo,
> 
> are you aware that this CVE is marked as <no-dsa> in Jessie and soon will be
> in Wheezy as well.
> 
> So unless you disagree with this <no-dsa>, it would be better to avoid any
> potential regression and not upload qemu or qemu-kvm.

no-dsa should be used very scarcely in LTS since we don't have a s-p-u
to fix minor issues and reading the RedHat entry[1]:

"A privileged user inside guest could use this flaw to access undue
files on the host."

I think we should well fix this vulnerability.
Cheers,
 -- Guido

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7116

Reply to:

Follow-Ups:
- Re: qemu: CVE-2016-7116
  - From: Thorsten Alteholz <debian@alteholz.de>

References:
- qemu: CVE-2016-7116
  - From: Hugo Lefeuvre <hle@debian.org>
- Re: qemu: CVE-2016-7116
  - From: Guido Günther <agx@sigxcpu.org>
- Re: qemu: CVE-2016-7116
  - From: Hugo Lefeuvre <hle@debian.org>
- Re: qemu: CVE-2016-7116
  - From: Thorsten Alteholz <debian@alteholz.de>

Prev by Date: LTS report for August 2016
Next by Date: Re: qemu: CVE-2016-7116
Previous by thread: Re: qemu: CVE-2016-7116
Next by thread: Re: qemu: CVE-2016-7116
Index(es):
- Date
- Thread