13.06.2016 19:55, Ben Hutchings wrote: > On Mon, 2016-06-13 at 18:23 +0300, Michael Tokarev wrote: >> 06.06.2016 04:37, Ben Hutchings wrote: >>> Hello dear maintainer(s), >>> >>> the Debian LTS team would like to fix the security issues which are >>> currently open in the Wheezy version of qemu: >>> https://security-tracker.debian.org/tracker/CVE-2016-3710 >>> https://security-tracker.debian.org/tracker/CVE-2016-3712 >>> https://security-tracker.debian.org/tracker/CVE-2016-5238 >> >> Why these 3? I can see why you want to fix the 2 VGA vulns >> (3710 & 3712 above), but 5238? Note that while the bug might >> look more or less serious, the device in question is not a >> very commonly used one. I don't know if it is used at all. >> More, this prob is nearly impossibe to hit in practice. > > I assume most guests don't need a SCSI controller at all and that > virtio_scsi is the preferred model where the guest OS supports it. But > I have little idea what proportion of guests need some other model or > which models they use. I erred on the side of caution.
It is not "a SCSI controller", it is a less-used one. Usually it is lsi logic controller (which is also emulated by virtualbox and some other virt solutions, so might be used after migration from these), or, at least, megasas. JFYI :) Thanks, /mjt
