Re: Qemu CVEs in Xen

To: Hugo Lefeuvre <hle@debian.org>
Cc: debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: Qemu CVEs in Xen
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Mon, 26 Dec 2016 17:04:15 +0100
Message-id: <[🔎] 20161226160415.zwzl25ktpqfte4r2@pisco.westfalen.local>
In-reply-to: <20161129091850.jcn3tt6mwf7zcm52@hle.local>
References: <20161030113043.drkvg6tpheg3wkyw@bogon.m.sigxcpu.org> <20161030121457.kvndk24mvsbbafpj@hle.local> <20161104082135.7mbwnzzswxcbahfo@bogon.m.sigxcpu.org> <20161125091953.3kvk7ltg2esz7jdj@home.ouaza.com> <20161125234605.6wcrhtd5glraormf@hle.local> <20161129091850.jcn3tt6mwf7zcm52@hle.local>

On Tue, Nov 29, 2016 at 10:18:51AM +0100, Hugo Lefeuvre wrote:
> Hi,
> 
> So far, I have triaged ~120 CVEs. I have used all my assigned hours, so
> I won't be able to finish the work this month.
> 
> I have marked Xen as affected by 45 'new' CVEs until now. Not all of
> them deserve a DLA.

That doesn't make sense. Only a very small subset of the qemu copy
is security-relavant in Xen and if that happens they've usually
published an XSA advisory for it.

We only track embedded code copies in the data/CVE/list file if
there's a specific vulnerabilites, so please revert all those
spurious "- xen 4.4.0-1" entries unless you can show an explicit
vulnerability in the qemu integration in Xen. Right now you're
cluttering the xen entries for the security tracker and that's
not helpful at all.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: Qemu CVEs in Xen
  - From: Hugo Lefeuvre <hle@debian.org>

Prev by Date: Wheezy update of curl?
Next by Date: Wheezy update of libphp-phpmailer?
Previous by thread: Wheezy update of curl?
Next by thread: Re: Qemu CVEs in Xen
Index(es):
- Date
- Thread