Hi Hugo, On Wed, Dec 28, 2016 at 12:03:48AM +0100, Hugo Lefeuvre wrote: > Hi, > > Last month I've gone through most of the CVEs affecting qemu in the > past years and investigated whether they were likely to affect the > wheezy version of Xen. For that I have considered that any > vulnerability affecting the embedded version of Qemu was also > affecting Xen, which is, according to Moritz, not true.
See https://wiki.xenproject.org/wiki/QEMU_Upstream . It's only used for device emulation so bugs in e.g. TCG or KVM are not affecting XEN. Also all devices not available on i386 / amd64 can be ignored. That should already cut down the list considerably. > Thus, I'd like to go through the CVEs I marked as affecting Xen in > wheezy and test whether they are really affecting Xen. However, I do > not know Xen very well and I will surely not be very efficient. > > Moreover, I fear that this is not a very good way of spending my > assigned time. > > So here is my question: How should we handle this mass of potential > vulnerabilities in Xen ? Should we take time to test these (mostly > minor) potential issues ? > > Guido: As far as I remember, you wanted to speak about it with > Creadiv. Did you do it ? Any reply or advice from them ? IIRC we agreed that we triage first before we involve credativ. Cheers, -- Guido
