On 7 August 2018 at 16:47, Markus Armbruster <[email protected]> wrote: > Peter Maydell <[email protected]> writes: > >> On 7 August 2018 at 14:09, Daniel P. Berrangé <[email protected]> wrote: >>> On Tue, Aug 07, 2018 at 03:07:07PM +0200, Thomas Huth wrote: >>>> But 864036e251f54c9 was never part of an official QEMU release, was it? >>>> Or did it go into a stable release already? If not, I think you simply >>>> need both patches to fix the CVE instead. >>> >>> Ah possibly - I didn't look at where 864036e251f54c9 was actually >>> release or not. If its onyl git master, then yeah, we can use the >>> same CVE we already have. >> >> Yeah, we haven't released anything with 864036e251f54c9 in it yet. >> (In particular we did not flag it up for stable and so it is not >> in 2.12.1...) > > Pointing out the obvious: this is a second opportunity to flag the CVE > fix for stable.
Well, as long as we get both halves of it, yes :-) (ie commits 864036e251f54c9 + 09b94ac0f29db3b022a77a). thanks -- PMM
