Re: [Xen-devel] old (but unfixed in our clones) qemu security issues?

[Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>]

CC'ing qemu-devel

On Mon, 2 Mar 2015, Jan Beulich wrote:
> Stefano,
> 
> apart from having been curious for a while why we carry a fix for
> CVE-2013-4540 in our 4.4.1 based tree, patches for CVE-2014-3615
> appeared there too recently. What is the maintenance state of the
> stable qemu upstream trees in regard to security fixes? I would kind
> of expect that you as the maintainer pick up such fixes (semi-)
> automatically. Quite likely some of the upstream issues don't directly
> affect our clones, perhaps simply because we don't build the
> respective code (at least by default), but I think we should either
> document such facts or (unless they impose severe risk) we should
> apply them nevertheless.
 
Hi Jan,

unfortunately QEMU doesn't have a security mailing list like Xen
Project. The closest thing to it is the Red Hat Security Team but of
course I am not part of it. They send notification of security issues to
oss-security but I am not part of that either: I requested access to
oss-security in the past but the request was denied.

I receive no notifications from QEMU upstream on security issues, unless
Paolo or Anthony kindly forward me an email.  Sometimes that happens,
sometimes it doesn't.

So I am not surprised that fixes to one or more CVEs fell through the
cracks.

I guess I could monitor cve.mitre.org or the QEMU stable tree for
commits with "CVE" in the commit message, but there isn't much else I
can do.  I am happy to follow whatever procedure we think is best given
the information available.


- Stefano

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel