Re: Qemu CVEs in Xen
On 29/11/16 10:18, Hugo Lefeuvre wrote:
> Hi,
>
> So far, I have triaged ~120 CVEs. I have used all my assigned hours, so
> I won't be able to finish the work this month.
>
> I have marked Xen as affected by 45 'new' CVEs until now. Not all of
> them deserve a DLA.
>
> Here are the remaining ones:
>
> CVE-2009-3616
> CVE-2010-0297
> CVE-2010-0431
> CVE-2010-2784
> CVE-2011-0011
> CVE-2011-1750
> CVE-2011-1751
> CVE-2011-2212
> CVE-2011-2512
> CVE-2011-2527
> CVE-2011-3346
> CVE-2012-2652
> CVE-2013-4149
> CVE-2013-4150
> CVE-2013-4526
> CVE-2013-4527
> CVE-2013-4529
> CVE-2013-4530
> CVE-2013-4531
> CVE-2013-4534
> CVE-2013-4535
> CVE-2013-4536
> CVE-2013-4539
> CVE-2013-4540
> CVE-2013-4541
> CVE-2014-0142
> CVE-2014-0143
> CVE-2014-0144
> CVE-2014-0145
> CVE-2014-0147
> CVE-2014-0150
> CVE-2014-0182
> CVE-2014-3461
> CVE-2014-3615
> CVE-2014-3689
> CVE-2014-7840
> CVE-2014-9718
> CVE-2015-8556
> CVE-2015-4037
>
> Feel free to have a look at them.
> Issues before 2009 are not affecting Xen in wheezy:
>
> CVE-2007-1321
> CVE-2007-1322
> CVE-2007-1366
> CVE-2007-5729
> CVE-2007-5730
> CVE-2007-6227
> CVE-2008-1945
> CVE-2008-4539
> CVE-2008-4553
> CVE-2008-5714
>
> Should I mark Xen as unaffected by these issues in the tracker or should
> we just ignore them ?
They are not marked as affecting wheezy anyway (actually they aren't marked as
affecting xen at all). Because of that and because they are so old, I would just
leave them as they are. If you mark them as affecting xen, you need to dig which
version fixed them in Debian so they are not "opened" for sid/jessie.
Cheers,
Emilio
Reply to: