On Fri, Jul 29, 2016 at 01:26:22PM +0200, Bastian Blank wrote: > Hi Guido > > On Fri, Jul 29, 2016 at 01:13:33PM +0200, Guido Günther wrote: > > * the complete removal of tools/ioemu-qemu-xen - guess this was unused > > anyway since quiet some time, right? > > I have no idea and found not one reference to that folder. > > > * there are some XSA related patches in debian/patches. Will these move > > into > > https://github.com/credativ/xen-lts/ > > eventually? > > I think I forgot to delete some. The rest most likely won't as it is > either qemu or libxl. > > > If Brian has no objections feel free to upload, Please let me know once > > done so I can then release the DLA (in case you don't want to handle it > > youself). > > I have no idea how to do that yet. So feel free.
Thanks for uploading! I've put out the DSA and marked XSA-166 as fixed in the tracker (since it has no CVE assigned). The tracker lists these CVE-2016-5403 virtio: unbounded memory allocation on host via guest leading to DoS CVE-2016-5242 The p2m_teardown function in arch/arm/p2m.c in Xen 4.4.x through 4.6.x ... CVE-2016-4963 The libxl device-handling in Xen through 4.6.x allows local guest OS ... CVE-2016-4962 The libxl device-handling in Xen 4.6.x and earlier allows local OS ... as affecting Wheezy. I've marked CVE-2016-5242 as not-affected since we don't have ARM xen in wheezy. What about the other ones? Cheers, -- Guido