Peter Maydell <peter.mayd...@linaro.org> writes: > On 7 August 2018 at 14:09, Daniel P. Berrangé <berra...@redhat.com> wrote: >> On Tue, Aug 07, 2018 at 03:07:07PM +0200, Thomas Huth wrote: >>> But 864036e251f54c9 was never part of an official QEMU release, was it? >>> Or did it go into a stable release already? If not, I think you simply >>> need both patches to fix the CVE instead. >> >> Ah possibly - I didn't look at where 864036e251f54c9 was actually >> release or not. If its onyl git master, then yeah, we can use the >> same CVE we already have. > > Yeah, we haven't released anything with 864036e251f54c9 in it yet. > (In particular we did not flag it up for stable and so it is not > in 2.12.1...)
Pointing out the obvious: this is a second opportunity to flag the CVE fix for stable.