>>> On 02.03.15 at 15:18, <stefano.stabell...@eu.citrix.com> wrote: > On Mon, 2 Mar 2015, Jan Beulich wrote: >> >>> On 02.03.15 at 15:05, <stefano.stabell...@eu.citrix.com> wrote: >> > I guess I could monitor cve.mitre.org or the QEMU stable tree for >> > commits with "CVE" in the commit message, but there isn't much else I >> > can do. >> >> Yes, I think the latter is (for the time being) the most promising route. >> Question is how much work it is going to be to find out about past >> ones. > > I could look at the matching QEMU stable tree for each of our past > qemu-xen-upstream releases. > > Unfortunately it is going to be an error prone process as QEMU stable > trees have shorter maintenance cycles compared to Xen Project. I am > unlikely to find recent CVEs backported to 1.6.x, that is the base for > qemu-xen in Xen 4.4.
Yeah, I think you'll need to look at all stable trees at least, and accept that some of the fixes may require extra backporting work. Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
