[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Triaging question


Thank you. I have added both qemu and xen to dla-needed now. I did not send the regular email about xen and qemu update as I remember that Credativ usually do this kind of update (right?).

In addition, I notice now that when I read deeper I actually read the information wrong. Now I understand why it is listed.

// Ola

On 21 November 2016 at 23:23, Hugo Lefeuvre <hle@debian.org> wrote:
Hi Ola,

> Today I started my first front desk duty. I have got quite far in handling
> this but I think the tools could use some improvements.
> What I found was that the xen package was reported in this section with a
> lot of CVEs.
> Section: "Issues not yet triaged for wheezy, but already fixed in jessie:"
> I checked a few but all of them were fixed already in wheezy. They even had
> a DLA.
> Do anyone know why this is the case?

Some weeks ago we discovered that Xen before 4.4.0-1 is embedding a
copy of QEMU 0.10.2. Xen has version 4.1.4 in wheezy, so it is
potentially vulnerable to all security issues affecting QEMU in the
last years (160 CVEs involved).

I have triaged ~100 of them until now. ~20 are actually affecting Xen.

Also, some of these CVEs already have a DLA since they've already
been fixed in qemu/qemu-kvm. However, if you look closely, they are
still affecting Xen.


             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: