[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] RFC v2: Scope of Vulnerabilities for which XSAs are issued

I noticed that the blog post does not contain a link to the xen-devel@ 
discussion. I will add it

> On 15 Feb 2017, at 09:44, Jan Beulich <jbeulich@xxxxxxxx> wrote:
>>>> On 14.02.17 at 18:25, <george.dunlap@xxxxxxxxxx> wrote:
>> 4. The security team will only issue an advisory if there is a known
>> combination of software in which the vulnerability can be exploited.
> Considering the following text, perhaps "may" would end up a little
> less strict here than "can"? Or add "possibly"? Everything else looks
> good to me now, fwiw.
> Jan
>> In most cases, the software which contains the bug is also the target
>> of the attack: that is, a bug in Xen allows an unprivileged user to
>> crash Xen, a bug in QEMU allows an unprivileged user to escalate its
>> privileges to that of the QEMU process.  In these cases "using Xen" or
>> "using QEMU" imples "being vunlerable".  But this is not always so:
>> for instance, a bug in the Xen instruction emulator might allow a
>> guest user to attack the guest kernel, *if* the guest kernel behaves
>> in a certain way, but not if it behaves in other ways.
>> In such a case, the Xen Security Team will pro-actively investigate
>> the vulnerability of the following open-source operating systems:
>> Linux, OpenBSD, FreeBSD, and NetBSD.  The security team will also make
>> an effort to investigate the vulnerability of Microsoft Windows.  If
>> we are reasonably certain that none of these operating systems are
>> vulnerable, and there are no other operating systems known to be
>> vulnerable, then no advisory will be issued.
>> (An example of this scenario is XSA-176: There was a bug in the
>> handling of the pagetable PS bits for L3 and L4; but no known
>> operating systems were vulnerable to an exploit as a result of the
>> bug.  Under these guidelines, XSA-176 would not have been issued.)
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxx
> https://lists.xen.org/xen-devel

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.