02.06.2013 22:53, Michael Gilbert wrote: > Package: qemu > Severity: serious > version: 1.5.0+dfsg-1 > Tags: security > > Hi, > An out-of-bounds issue in virtio was published for qemu: > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2016
Hmm. Now I'm really confused. Upstream version 1.5.0 includes the fix for this issue, so filing the bug against 1.5.0+dfsg-1 package is kind of wrong. The fix is commit 5f5a1318653c08e435cfa52f60b6a712815b659d which was applied past 1.5.0~rc0. Yes, the experimental version of qemu, based on 1.5.0~rc0, is buggy, but do we really care about it, especially since current version is already fixed? > I've checked squeeze and wheezy (both qemu and qemu-kvm). They are > both not affected. To me it looks like no debian version of qemu is affected. Thanks! /mjt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
