Re: [Qemu-devel] [ANNOUNCE] QEMU 1.5.2 Stable released
On Wed, Jul 31, 2013 at 9:19 AM, Miroslav Rezanina mreza...@redhat.com wrote: Hi Michael, how this affect 1.5 schedule?? Is the date mentioned on http://wiki.qemu.org/Planning/1.5 still valid (just increase the build number)? Yup, 1.5.3 will be released according to original 1.5.2 schedule. I've gone ahead and updated the release schedule on the wiki: http://wiki.qemu.org/Planning/1.5 Mirek Rezanina - Original Message - From: Michael Roth mdr...@linux.vnet.ibm.com To: qemu-devel@nongnu.org Cc: pmato...@redhat.com, aligu...@us.ibm.com, ler...@redhat.com, qemu-sta...@nongnu.org, lve...@redhat.com Sent: Thursday, July 25, 2013 11:44:43 PM Subject: [Qemu-devel] [ANNOUNCE] QEMU 1.5.2 Stable released The QEMU v1.5.2 stable release is now available at: http://wiki.qemu.org/download/qemu-1.5.2.tar.bz2 This is release is solely to address a security issue (CVE-2013-2231) found in the QEMU Guest Agent on Windows. More details on the nature of the CVE can be found here: http://seclists.org/oss-sec/2013/q3/161 There are 2 minor fixes for qemu-ga for Windows as well, though these are included mainly due to being dependencies of the CVE fix sent upstream. Thanks to Laszlo and the Red Hat security team for identifying/fixing the issue. ff4be47: Update VERSION for 1.5.2 release (Michael Roth) be161ae: qga: escape cmdline args when registering win32 service (CVE-2013-2231) (Laszlo Ersek) bb31546: ga_install_service(): nest error paths more idiomatically (Laszlo Ersek) af0bbf8: qga/service-win32.c: diagnostic output should go to stderr (Laszlo Ersek) 31c6ed2: qga: save state directory in ga_install_service() (Laszlo Ersek) c432c7d: qga: remove undefined behavior in ga_install_service() (Laszlo Ersek) -- Miroslav Rezanina Software Engineer - Virtualization Team
Re: [Qemu-devel] [ANNOUNCE] QEMU 1.5.2 Stable released
Hi Michael, how this affect 1.5 schedule?? Is the date mentioned on http://wiki.qemu.org/Planning/1.5 still valid (just increase the build number)? Mirek Rezanina - Original Message - From: Michael Roth mdr...@linux.vnet.ibm.com To: qemu-devel@nongnu.org Cc: pmato...@redhat.com, aligu...@us.ibm.com, ler...@redhat.com, qemu-sta...@nongnu.org, lve...@redhat.com Sent: Thursday, July 25, 2013 11:44:43 PM Subject: [Qemu-devel] [ANNOUNCE] QEMU 1.5.2 Stable released The QEMU v1.5.2 stable release is now available at: http://wiki.qemu.org/download/qemu-1.5.2.tar.bz2 This is release is solely to address a security issue (CVE-2013-2231) found in the QEMU Guest Agent on Windows. More details on the nature of the CVE can be found here: http://seclists.org/oss-sec/2013/q3/161 There are 2 minor fixes for qemu-ga for Windows as well, though these are included mainly due to being dependencies of the CVE fix sent upstream. Thanks to Laszlo and the Red Hat security team for identifying/fixing the issue. ff4be47: Update VERSION for 1.5.2 release (Michael Roth) be161ae: qga: escape cmdline args when registering win32 service (CVE-2013-2231) (Laszlo Ersek) bb31546: ga_install_service(): nest error paths more idiomatically (Laszlo Ersek) af0bbf8: qga/service-win32.c: diagnostic output should go to stderr (Laszlo Ersek) 31c6ed2: qga: save state directory in ga_install_service() (Laszlo Ersek) c432c7d: qga: remove undefined behavior in ga_install_service() (Laszlo Ersek) -- Miroslav Rezanina Software Engineer - Virtualization Team
Re: [Qemu-devel] [ANNOUNCE] QEMU 1.5.2 Stable released
On Thu, Jul 25, 2013 at 04:44:43PM -0500, Michael Roth wrote: The QEMU v1.5.2 stable release is now available at: http://wiki.qemu.org/download/qemu-1.5.2.tar.bz2 This is release is solely to address a security issue (CVE-2013-2231) found in the QEMU Guest Agent on Windows. More details on the nature of the CVE can be found here: It is fairly common to include the CVE number in the commit message subject line as in this case, but sometimes people only put them in the body, or even forgot completely. Other times you might not even realize the bug fixed was a CVE until well after the commit is pushed to master. So for libvirt we just started a policy of creating named tags for every CVE fix [1], so you can just do 'git show CVE-2013-2231' and identify the patch which fixed the issue. I mention this in case QEMU maintainers think it might be a useful policy/approach for QEMU's GIT too. Regards, Daniel [1] And retroactively tagged all previous fixes. -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
[Qemu-devel] [ANNOUNCE] QEMU 1.5.2 Stable released
The QEMU v1.5.2 stable release is now available at: http://wiki.qemu.org/download/qemu-1.5.2.tar.bz2 This is release is solely to address a security issue (CVE-2013-2231) found in the QEMU Guest Agent on Windows. More details on the nature of the CVE can be found here: http://seclists.org/oss-sec/2013/q3/161 There are 2 minor fixes for qemu-ga for Windows as well, though these are included mainly due to being dependencies of the CVE fix sent upstream. Thanks to Laszlo and the Red Hat security team for identifying/fixing the issue. ff4be47: Update VERSION for 1.5.2 release (Michael Roth) be161ae: qga: escape cmdline args when registering win32 service (CVE-2013-2231) (Laszlo Ersek) bb31546: ga_install_service(): nest error paths more idiomatically (Laszlo Ersek) af0bbf8: qga/service-win32.c: diagnostic output should go to stderr (Laszlo Ersek) 31c6ed2: qga: save state directory in ga_install_service() (Laszlo Ersek) c432c7d: qga: remove undefined behavior in ga_install_service() (Laszlo Ersek)
Re: [Qemu-devel] [ANNOUNCE] QEMU 1.5.2 Stable released
On 07/25/13 23:44, Michael Roth wrote: The QEMU v1.5.2 stable release is now available at: http://wiki.qemu.org/download/qemu-1.5.2.tar.bz2 This is release is solely to address a security issue (CVE-2013-2231) found in the QEMU Guest Agent on Windows. More details on the nature of the CVE can be found here: http://seclists.org/oss-sec/2013/q3/161 There are 2 minor fixes for qemu-ga for Windows as well, though these are included mainly due to being dependencies of the CVE fix sent upstream. Thanks to Laszlo and the Red Hat security team for identifying/fixing the issue. For identification and analysis Lev Veyde @ RH takes the credit. Thanks, Laszlo