Hi Thank you. I have added both qemu and xen to dla-needed now. I did not send the regular email about xen and qemu update as I remember that Credativ usually do this kind of update (right?).
In addition, I notice now that when I read deeper I actually read the information wrong. Now I understand why it is listed. // Ola On 21 November 2016 at 23:23, Hugo Lefeuvre <h...@debian.org> wrote: > Hi Ola, > > > Today I started my first front desk duty. I have got quite far in > handling > > this but I think the tools could use some improvements. > > What I found was that the xen package was reported in this section with a > > lot of CVEs. > > Section: "Issues not yet triaged for wheezy, but already fixed in > jessie:" > > > > I checked a few but all of them were fixed already in wheezy. They even > had > > a DLA. > > Do anyone know why this is the case? > > Some weeks ago we discovered that Xen before 4.4.0-1 is embedding a > copy of QEMU 0.10.2. Xen has version 4.1.4 in wheezy, so it is > potentially vulnerable to all security issues affecting QEMU in the > last years (160 CVEs involved). > > I have triaged ~100 of them until now. ~20 are actually affecting Xen. > > Also, some of these CVEs already have a DLA since they've already > been fixed in qemu/qemu-kvm. However, if you look closely, they are > still affecting Xen. > > Cheers, > Hugo > > -- > Hugo Lefeuvre (hle) | www.owl.eu.com > 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
