18.04.2014 16:27, Adam D. Barratt wrote: > On 2014-04-18 12:54, Michael Tokarev wrote: >> 18.04.2014 15:40, Adam D. Barratt wrote: >>> Not wishing to chase, just a gentle reminder that the window for getting >>> updates in to 7.5 closes over the weekend. (Although getting in to 7.6 >>> instead is presumably not a huge problem.) >> >> I've another security bugfix for qemu+qemu-kvm, CVE-2014-2894, >> assigned today, see >> https://lists.nongnu.org/archive/html/qemu-devel/2014-04/msg02016.html >> The fix is also one-liner. >> >> Maybe we can combine the two - this #742386 and CVE-2014-2894 - into single >> pu? > > Looking at the source for the 2.0.0 packages uploaded to unstable yesterday, > it looks like they contain the CVE fix? If so then the security-tracker needs > updating, as https://security-tracker.debian.org/tracker/CVE-2014-2894 lists > unstable as vulnerable. If the security team don't plan to issue a DSA for > the issue (which I don't know if they've decided yet) then the patch looks > sane enough to include in the p-u.
Yes, 2.0.0 contains the (last-minute) fix. And no, this fix is definitely worth a DSA. So I'm uploading +deb7u2 to wheezy-pu as has been already agreed before, to catch the train to 7.5. With intention to fix CVE-2014-2894 later. Thanks, /mjt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
