[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] RFC v2: Scope of Vulnerabilities for which XSAs are issued

>>> On 14.02.17 at 18:25, <george.dunlap@xxxxxxxxxx> wrote:
> 4. The security team will only issue an advisory if there is a known
> combination of software in which the vulnerability can be exploited.

Considering the following text, perhaps "may" would end up a little
less strict here than "can"? Or add "possibly"? Everything else looks
good to me now, fwiw.


> In most cases, the software which contains the bug is also the target
> of the attack: that is, a bug in Xen allows an unprivileged user to
> crash Xen, a bug in QEMU allows an unprivileged user to escalate its
> privileges to that of the QEMU process.  In these cases "using Xen" or
> "using QEMU" imples "being vunlerable".  But this is not always so:
> for instance, a bug in the Xen instruction emulator might allow a
> guest user to attack the guest kernel, *if* the guest kernel behaves
> in a certain way, but not if it behaves in other ways.
> In such a case, the Xen Security Team will pro-actively investigate
> the vulnerability of the following open-source operating systems:
> Linux, OpenBSD, FreeBSD, and NetBSD.  The security team will also make
> an effort to investigate the vulnerability of Microsoft Windows.  If
> we are reasonably certain that none of these operating systems are
> vulnerable, and there are no other operating systems known to be
> vulnerable, then no advisory will be issued.
> (An example of this scenario is XSA-176: There was a bug in the
> handling of the pagetable PS bits for L3 and L4; but no known
> operating systems were vulnerable to an exploit as a result of the
> bug.  Under these guidelines, XSA-176 would not have been issued.)

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.