On Mon, 2 Mar 2015, Jan Beulich wrote: > >>> On 02.03.15 at 15:05, <stefano.stabell...@eu.citrix.com> wrote: > > I guess I could monitor cve.mitre.org or the QEMU stable tree for > > commits with "CVE" in the commit message, but there isn't much else I > > can do. > > Yes, I think the latter is (for the time being) the most promising route. > Question is how much work it is going to be to find out about past > ones.
I could look at the matching QEMU stable tree for each of our past qemu-xen-upstream releases. Unfortunately it is going to be an error prone process as QEMU stable trees have shorter maintenance cycles compared to Xen Project. I am unlikely to find recent CVEs backported to 1.6.x, that is the base for qemu-xen in Xen 4.4. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
