Re: CVE triage for Xen
Hi Hugo,
On Wed, Dec 28, 2016 at 12:03:48AM +0100, Hugo Lefeuvre wrote:
> Hi,
>
> Last month I've gone through most of the CVEs affecting qemu in the
> past years and investigated whether they were likely to affect the
> wheezy version of Xen. For that I have considered that any
> vulnerability affecting the embedded version of Qemu was also
> affecting Xen, which is, according to Moritz, not true.
See https://wiki.xenproject.org/wiki/QEMU_Upstream . It's only used for
device emulation so bugs in e.g. TCG or KVM are not affecting XEN. Also
all devices not available on i386 / amd64 can be ignored. That should
already cut down the list considerably.
> Thus, I'd like to go through the CVEs I marked as affecting Xen in
> wheezy and test whether they are really affecting Xen. However, I do
> not know Xen very well and I will surely not be very efficient.
>
> Moreover, I fear that this is not a very good way of spending my
> assigned time.
>
> So here is my question: How should we handle this mass of potential
> vulnerabilities in Xen ? Should we take time to test these (mostly
> minor) potential issues ?
>
> Guido: As far as I remember, you wanted to speak about it with
> Creadiv. Did you do it ? Any reply or advice from them ?
IIRC we agreed that we triage first before we involve credativ.
Cheers,
-- Guido
Reply to: