Guido Günther <a...@sigxcpu.org> writes:> > Sid has Xen 4.6 and looking at the CVEs that affect sid the patches > don't seem to be applied so the tracker looks correct, there's plenty of > work left. > > Are you going to look at the Wheezy packages?
Looking now. Just looking at CVE-2015-2756 - this appears to be a vulnerability in qemu - not xen - and squeeze and wheezy are not affected. https://security-tracker.debian.org/tracker/CVE-2015-2756 Looking at xen in jessie, there is no changelog entry mentioning CVE-2015-2756; although it is marked as fixed. The closest I can find is https://bugs.debian.org/781620 and this doesn't mention how CVE-2015-2756 was fixed. The only reason xen appears to be mentioned is because it can use a vulnerable version of qemu; It doesn't appear to have the vulnerable code itself. See: http://xenbits.xen.org/xsa/advisory-126.html So I am wondering if I can just mark xen in squeeze and wheezy as not being affected by CVE-2015-2756 too? -- Brian May <b...@debian.org>
