[Pkg-xen-devel] CVE-2015-3456 / XSA-133 / "Venom" @ Debian Xen
Sebastian Pipping
sebastian at pipping.org
Fri May 15 08:41:23 UTC 2015
Hello Debian Xen team,
I have two questions regarding Xen vulnerability CVE-2015-3456 / XSA-133
/ "Venom" in Debian [1]:
* I noticed that [1] says 4.4.1-9 not to be vulnerable ("fixed")
but according to the Debian Changelog [2] 4.4.1-9 appeared
in Debian before XSA-133 was published and
xen_4.4.1-9.debian.tar.xz [3] does not seem to contain
any XSA-133 patch. Could you elaborate why 4.4.1-9 is not affected?
* [1] also says that latest 4.1.4-3+deb7u5 of wheezy security
is vulnerable. Patch xsa133-qemut.patch (with "t") [4] seems to
apply cleanly. Are there plans to roll an update for wheezy
security?
Best,
Sebastian
[1] https://security-tracker.debian.org/tracker/CVE-2015-3456
[2]
http://metadata.ftp-master.debian.org/changelogs//main/x/xen/xen_4.4.1-9_changelog
[3] http://http.debian.net/debian/pool/main/x/xen/xen_4.4.1-9.debian.tar.xz
[4] http://xenbits.xen.org/xsa/xsa133-qemut.patch
More information about the Pkg-xen-devel
mailing list