[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] old (but unfixed in our clones) qemu security issues?



>>> On 02.03.15 at 15:18, <stefano.stabellini@xxxxxxxxxxxxx> wrote:
> On Mon, 2 Mar 2015, Jan Beulich wrote:
>> >>> On 02.03.15 at 15:05, <stefano.stabellini@xxxxxxxxxxxxx> wrote:
>> > I guess I could monitor cve.mitre.org or the QEMU stable tree for
>> > commits with "CVE" in the commit message, but there isn't much else I
>> > can do.
>> 
>> Yes, I think the latter is (for the time being) the most promising route.
>> Question is how much work it is going to be to find out about past
>> ones.
> 
> I could look at the matching QEMU stable tree for each of our past
> qemu-xen-upstream releases.
> 
> Unfortunately it is going to be an error prone process as QEMU stable
> trees have shorter maintenance cycles compared to Xen Project. I am
> unlikely to find recent CVEs backported to 1.6.x, that is the base for
> qemu-xen in Xen 4.4.

Yeah, I think you'll need to look at all stable trees at least, and accept
that some of the fixes may require extra backporting work.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.