Re: Qemu CVEs in Xen
On Sun, Oct 30, 2016 at 01:14:57PM +0100, Hugo Lefeuvre wrote:
> Hi Guido,
> > While looking at recent Qemu CVEs I noticed that Xen's embedded qemu
> > does not show up on the list of affected packages for QEMU CVEs anymore
> > so I added:
> > - xen 4.4.0-1
> > NOTE: Xen switched to qemu-system in 4.4.0-1
> > to these entries. This shows wheezy as affected so we can triage them
> > (wheezy beeing the only release left with an embedded qemu).
> > IMHO we need to go back through the other entries and do the same and
> > then triage them as usual or did I miss something related to XENs
> > embedded QEMU?
> I agree. I've just had a look at the embedded version of QEMU (which is,
> by the way, very old now (0.10.2)), and it seems to be vulnerable to
> several security issues already fixed in qemu and qemu-kvm...
Thanks for confirming.
> I wasn't aware that Xen was embedding QEMU (what a weird idea !?).
I triaged the current ones (thankfully we don't have 9pfs in that
version) up to CVE-2016-8669 and will check with the xen guys on how to
proceed with the backlog.