[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] old (but unfixed in our clones) qemu security issues?

From: Stefano Stabellini
Subject: Re: [Qemu-devel] old (but unfixed in our clones) qemu security issues?
Date: Mon, 2 Mar 2015 14:05:19 +0000
User-agent: Alpine 2.02 (DEB 1266 2009-07-14)

CC'ing qemu-devel

On Mon, 2 Mar 2015, Jan Beulich wrote:
> Stefano,
> apart from having been curious for a while why we carry a fix for
> CVE-2013-4540 in our 4.4.1 based tree, patches for CVE-2014-3615
> appeared there too recently. What is the maintenance state of the
> stable qemu upstream trees in regard to security fixes? I would kind
> of expect that you as the maintainer pick up such fixes (semi-)
> automatically. Quite likely some of the upstream issues don't directly
> affect our clones, perhaps simply because we don't build the
> respective code (at least by default), but I think we should either
> document such facts or (unless they impose severe risk) we should
> apply them nevertheless.
Hi Jan,

unfortunately QEMU doesn't have a security mailing list like Xen
Project. The closest thing to it is the Red Hat Security Team but of
course I am not part of it. They send notification of security issues to
oss-security but I am not part of that either: I requested access to
oss-security in the past but the request was denied.

I receive no notifications from QEMU upstream on security issues, unless
Paolo or Anthony kindly forward me an email.  Sometimes that happens,
sometimes it doesn't.

So I am not surprised that fixes to one or more CVEs fell through the

I guess I could monitor cve.mitre.org or the QEMU stable tree for
commits with "CVE" in the commit message, but there isn't much else I
can do.  I am happy to follow whatever procedure we think is best given
the information available.

- Stefano

reply via email to

[Prev in Thread] Current Thread [Next in Thread]