On 09/14/2015 02:43 PM, Michael Tokarev wrote: > 14.09.2015 21:04, John Snow wrote: >> On 09/11/2015 02:56 AM, Michael Tokarev wrote: >>> 09.09.2015 19:28, John Snow wrote: >>>> We're a little too lenient with what we'll let an ATAPI drive handle. >>>> Clamp down on the IDE command execution table to remove CD_OK permissions >>>> from commands that are not and have never been ATAPI commands. >>> >>> FWIW, this issue has been assigned CVE-2015-6855 identifier, which >>> can be reflected in the commit message when applying. Since this >>> issue has security impact, it might be a good idea to add >>> >>> Cc: qemu-sta...@nongnu.org >> >> I'm still awaiting review/acks, but would you like me to re-send this >> patch to trivial, or just fwd/reply-to? > > I think it is anything but trivial ;) Well, the semantics is trivial, > but it isn't -trivial material per se. > > I suggested add a Cc to qemu-stable, this can be done at commit, > together with mentioning the CVE# assigned meanwhile, and I don't > know who will commit it, Kevin? > > Thanks, > > /mjt >
I'll be sending the pullreq through my tree, but I was waiting on at least an ACK or so before I went ahead. I can add CC: qemu-stable to the patch on-pull if that's sufficient for you. --js
