On Fri, 2021-01-22 at 14:55 +0100, Philippe Mathieu-Daudé wrote: > Hi Prasad, Richard. > > On 1/22/21 12:52 PM, P J P wrote: > > +-- On Fri, 22 Jan 2021, Richard Purdie wrote --+ > > > If so can anyone point me at that change? > > > > > > I ask since CVE-2018-18438 is marked as affecting all qemu versions > > > (https://nvd.nist.gov/vuln/detail/CVE-2018-18438). > > > > > > If it was fixed, the version mask could be updated. If the fix wasn't > > > deemed > > > worthwhile for some reason that is also fine and I can mark this one as > > > such > > > in our system. I'm being told we only need one of the patches in this > > > series > > > which I also don't believe as I suspect we either need the set or none of > > > them! > > > > > > Any info would be most welcome. > > > > -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02239.html > > -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02231.html > > > > * Yes, the type change fix had come up during patch reviews above, and this > > series implemented the change. > > > > * Series is required IIUC, didn't realise it's not merged. > > Audit from Marc-André pointed that this is unlikely, we asked the > reporter for a reproducer and got not news, and eventually closed > this as NOTABUG (not even WONTFIX): > https://bugzilla.redhat.com/show_bug.cgi?id=1609015
I guessed there some resolution like this but couldn't find it thanks for the pointer. It's now clear in the archives and I can handle appropriately rejecting carrying those patches, thanks! Cheers, Richard