Re: qemu: CVE-2016-7116
Hi Thorsten,
On Sun, Sep 04, 2016 at 05:23:40PM +0200, Thorsten Alteholz wrote:
> Hi Hugo,
>
> are you aware that this CVE is marked as <no-dsa> in Jessie and soon will be
> in Wheezy as well.
>
> So unless you disagree with this <no-dsa>, it would be better to avoid any
> potential regression and not upload qemu or qemu-kvm.
no-dsa should be used very scarcely in LTS since we don't have a s-p-u
to fix minor issues and reading the RedHat entry[1]:
"A privileged user inside guest could use this flaw to access undue
files on the host."
I think we should well fix this vulnerability.
Cheers,
-- Guido
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7116
Reply to: