Hi Ola, > Today I started my first front desk duty. I have got quite far in handling > this but I think the tools could use some improvements. > What I found was that the xen package was reported in this section with a > lot of CVEs. > Section: "Issues not yet triaged for wheezy, but already fixed in jessie:" > > I checked a few but all of them were fixed already in wheezy. They even had > a DLA. > Do anyone know why this is the case?
Some weeks ago we discovered that Xen before 4.4.0-1 is embedding a
copy of QEMU 0.10.2. Xen has version 4.1.4 in wheezy, so it is
potentially vulnerable to all security issues affecting QEMU in the
last years (160 CVEs involved).
I have triaged ~100 of them until now. ~20 are actually affecting Xen.
Also, some of these CVEs already have a DLA since they've already
been fixed in qemu/qemu-kvm. However, if you look closely, they are
still affecting Xen.
Cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
