> Today I started my first front desk duty. I have got quite far in handling
> this but I think the tools could use some improvements.
> What I found was that the xen package was reported in this section with a
> lot of CVEs.
> Section: "Issues not yet triaged for wheezy, but already fixed in jessie:"
> I checked a few but all of them were fixed already in wheezy. They even had
> a DLA.
> Do anyone know why this is the case?
Some weeks ago we discovered that Xen before 4.4.0-1 is embedding a
copy of QEMU 0.10.2. Xen has version 4.1.4 in wheezy, so it is
potentially vulnerable to all security issues affecting QEMU in the
last years (160 CVEs involved).
I have triaged ~100 of them until now. ~20 are actually affecting Xen.
Also, some of these CVEs already have a DLA since they've already
been fixed in qemu/qemu-kvm. However, if you look closely, they are
still affecting Xen.
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E