Hi Hugo, On Sun, Oct 30, 2016 at 01:14:57PM +0100, Hugo Lefeuvre wrote: > Hi Guido, > > > While looking at recent Qemu CVEs I noticed that Xen's embedded qemu > > does not show up on the list of affected packages for QEMU CVEs anymore > > so I added: > > > > - xen 4.4.0-1 > > NOTE: Xen switched to qemu-system in 4.4.0-1 > > > > to these entries. This shows wheezy as affected so we can triage them > > (wheezy beeing the only release left with an embedded qemu). > > > > IMHO we need to go back through the other entries and do the same and > > then triage them as usual or did I miss something related to XENs > > embedded QEMU? > > I agree. I've just had a look at the embedded version of QEMU (which is, > by the way, very old now (0.10.2)), and it seems to be vulnerable to > several security issues already fixed in qemu and qemu-kvm...
Thanks for confirming. > I wasn't aware that Xen was embedding QEMU (what a weird idea !?). I triaged the current ones (thankfully we don't have 9pfs in that version) up to CVE-2016-8669 and will check with the xen guys on how to proceed with the backlog. Cheers, -- Guido
