[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SLiRP: use-afte-free in ip_reass() [CVE-2020-1983]
From: |
Philippe Mathieu-Daudé |
Subject: |
Re: SLiRP: use-afte-free in ip_reass() [CVE-2020-1983] |
Date: |
Tue, 21 Apr 2020 12:34:10 +0200 |
On Tue, Apr 21, 2020 at 12:22 PM Marc-André Lureau
<address@hidden> wrote:
>
> Hi
>
> On Tue, Apr 21, 2020 at 11:18 AM Philippe Mathieu-Daudé
> <address@hidden> wrote:
> >
> > Hi Samuel and Marc-André,
> >
> > Peter is going to tag 5.0-rc4 (final before release) today.
> > Do you have plans to send a last minute pull-request to fix CVE-2020-1983?
> >
> > https://gitlab.freedesktop.org/slirp/libslirp/-/commit/9ac0371bb
>
> libslirp is not following qemu release schedule. The master branch has
> a few changes that shouldn't be added to the release. We could create
> version/stable/qemu branches, but then between each version, we would
> end up with the submodule jumping between branches (with a non-linear
> history). Is that the only option?
I'm not sure this is the only option, but thinking about the
qemu-stable release process, this sounds like a good option.
Stable tags are sterile leaves and don't get further development.