Guido Günther <a...@sigxcpu.org> writes: > I don't think this is needed for jessie since the corresponding function > in qemu was implemented in 4.8.0.
Sounds like it won't hurt to leave this in, in any case... > qemuDomainGetTime is present in 1.2.9 and uses the guest agent so it's > affected as well. The corresponding virDomainGetTime has no read only > check so this could be an issue (but should likely use a different > CVE). This was upstream fixed in > > 506e9d6c2d4baaf580d489fff0690c0ff2ff588f Ok, so it does sound like I should make this change too. Like it or not, I suspect CVE-2019-3886 might be getting used for both issues. -- Brian May <b...@debian.org>