Re: Qemu CVEs in Xen

To: Hugo Lefeuvre <hle@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: Qemu CVEs in Xen
From: Guido Günther <agx@sigxcpu.org>
Date: Fri, 4 Nov 2016 09:21:35 +0100
Message-id: <[🔎] 20161104082135.7mbwnzzswxcbahfo@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Hugo Lefeuvre <hle@debian.org>, debian-lts@lists.debian.org
In-reply-to: <20161030121457.kvndk24mvsbbafpj@hle.local>
References: <20161030113043.drkvg6tpheg3wkyw@bogon.m.sigxcpu.org> <20161030121457.kvndk24mvsbbafpj@hle.local>

Hi Hugo,
On Sun, Oct 30, 2016 at 01:14:57PM +0100, Hugo Lefeuvre wrote:
> Hi Guido,
> 
> > While looking at recent Qemu CVEs I noticed that Xen's embedded qemu
> > does not show up on the list of affected packages for QEMU CVEs anymore
> > so I added:
> > 
> >     - xen 4.4.0-1
> >     NOTE: Xen switched to qemu-system in 4.4.0-1
> > 
> > to these entries. This shows wheezy as affected so we can triage them
> > (wheezy beeing the only release left with an embedded qemu).
> > 
> > IMHO we need to go back through the other entries and do the same and
> > then triage them as usual or did I miss something related to XENs
> > embedded QEMU?
> 
> I agree. I've just had a look at the embedded version of QEMU (which is,
> by the way, very old now (0.10.2)), and it seems to be vulnerable to
> several security issues already fixed in qemu and qemu-kvm...

Thanks for confirming.

> I wasn't aware that Xen was embedding QEMU (what a weird idea !?).

I triaged the current ones (thankfully we don't have 9pfs in that
version) up to CVE-2016-8669 and will check with the xen guys on how to
proceed with the backlog.
Cheers,
 -- Guido

Reply to:

Follow-Ups:
- Re: Qemu CVEs in Xen
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: CVE-2016-9013 / django-python
Next by Date: Re: python-django and CVE-2016-9014
Previous by thread: Re: python-django and CVE-2016-9014
Next by thread: Re: Qemu CVEs in Xen
Index(es):
- Date
- Thread