[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xen Security Advisory 180 (CVE-2014-3672) - Unrestricted qemu logging

On Wed, May 25, 2016 at 03:04:40PM +0100, George Dunlap wrote:
> On Mon, May 23, 2016 at 6:09 PM, Xen.org security team <security@xxxxxxx> 
> wrote:
> > ==========
> >
> > Applying the appropriate attached patch resolves this issue.
> >
> > The patches adopt a simple and rather crude approach which is
> > effective at resolving the security issue in the context of a Xen
> > device model.  They may not be appropriate for adoption upstream or in
> > other contexts.
> This is indeed a rather crude approach; but for our upcoming 4.7
> release, what's the plan?  Do we have time to generalize xenconsoled
> to handle this sort of logging, and if so, who is going to do that
> work?

I this it's going to be a bit intrusive at this point to change
xenconsoled to do that. However it should be too hard to test.
We also need people to test and review it. All in all it seems time is
very tight.

We can at least apply this patch to our own tree.


>  -George
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxx
> http://lists.xen.org/xen-devel

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.