Hi Moritz,
> That doesn't make sense. Only a very small subset of the qemu copy
> is security-relavant in Xen and if that happens they've usually
> published an XSA advisory for it.
XSA advisories are published for stable versions, which is not the
case of the version in wheezy. So, IMO it makes sense, at least for
CVEs published after 2013.
What are you meaning with "only a very small subset of the qemu copy is
security-relavant in Xen" ?
> We only track embedded code copies in the data/CVE/list file if
> there's a specific vulnerabilites, so please revert all those
> spurious "- xen 4.4.0-1" entries unless you can show an explicit
> vulnerability in the qemu integration in Xen. Right now you're
> cluttering the xen entries for the security tracker and that's
> not helpful at all.
Most of the CVEs I marked as affecting Xen in wheezy are very likely
to really affect it, because the embedded version of qemu is affected.
Cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
Attachment:
signature.asc
Description: PGP signature