[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

To: "Ian Jackson" <ian.jackson@xxxxxxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Tue, 24 Jan 2017 04:43:36 -0700
Cc: George Dunlap <george.dunlap@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Tue, 24 Jan 2017 11:44:01 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 24.01.17 at 12:33, <ian.jackson@xxxxxxxxxxxxx> wrote:
> Jan Beulich writes ("Re: [Xen-devel] RFC: Adding a section to the Xen 
> security 
> policy about what constitutes a vulnerability"):
>> "If a bug requires a vulnerable operating system to be exploitable, the
>>  Xen Security Team will pro-actively investigate the vulnerability of
>>  the following open-source operating systems: Linux, OpenBSD, FreeBSD,
>>  and NetBSD.  The security team will also test or otherwise investigate
>>  the vulnerability of supported Windows versions, and it may also do so
>>  for some other proprietary operating systems."
> 
> I don't think we can promise to come up with a definitely conclusion
> for any proprietary system, can we ?  Answering such a question for
> Windows is not within our power because we don't have the source code.

Well - see George's original mail, which the above was a reply to.
He has suggested that there's enough knowledge around.

> The question, which the above text leaves unclear, is, what do we do
> if we aren't sure whether there are configurations of Windows which
> have the exposed behaviour.

I think I had given my opinion on this in an earlier mail: If in doubt,
we ought to issue an advisory.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability
  - From: George Dunlap

References:
- [Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability
  - From: George Dunlap
- Re: [Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability
  - From: Jan Beulich
- Re: [Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability
  - From: George Dunlap
- Re: [Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability
  - From: George Dunlap
- Re: [Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability
  - From: Jan Beulich
- Re: [Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability
  - From: Ian Jackson

Prev by Date: Re: [Xen-devel] [PATCH 0/2] ocaml: Start on fixing brokenness when no ocamlopt
Next by Date: Re: [Xen-devel] [PATCH v2 04/14] x86/cpuid: Handle more simple Intel leaves in guest_cpuid()
Previous by thread: Re: [Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability
Next by thread: Re: [Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.