Hi Thorsten, On Sun, Sep 04, 2016 at 05:23:40PM +0200, Thorsten Alteholz wrote: > Hi Hugo, > > are you aware that this CVE is marked as <no-dsa> in Jessie and soon will be > in Wheezy as well. > > So unless you disagree with this <no-dsa>, it would be better to avoid any > potential regression and not upload qemu or qemu-kvm.
no-dsa should be used very scarcely in LTS since we don't have a s-p-u to fix minor issues and reading the RedHat entry[1]: "A privileged user inside guest could use this flaw to access undue files on the host." I think we should well fix this vulnerability. Cheers, -- Guido [1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7116
