[Pkg-xen-devel] CVE-2015-3456 / XSA-133 / "Venom" @ Debian Xen
Thomas Jepp
reg at tomjepp.co.uk
Fri May 15 09:07:26 UTC 2015
On 15/05/2015 09:41, Sebastian Pipping wrote:
> * I noticed that [1] says 4.4.1-9 not to be vulnerable ("fixed")
> but according to the Debian Changelog [2] 4.4.1-9 appeared
> in Debian before XSA-133 was published and
> xen_4.4.1-9.debian.tar.xz [3] does not seem to contain
> any XSA-133 patch. Could you elaborate why 4.4.1-9 is not affected?
This would be because the debian packages don't bundle
qemu-xen-traditional in Jessie - so there's no vulnerable binary in the
xen packages.
Xen uses upstream qemu on Jessie - so that's what needs to be updated
for this bug.
--
Thomas Jepp
reg at tomjepp.co.uk
More information about the Pkg-xen-devel
mailing list