Hi Michael, Thanks for your quick reply.
On Thu, Nov 13, 2014 at 09:37:09PM +0300, Michael Tokarev wrote: > 13.11.2014 20:39, Salvatore Bonaccorso wrote: > > Source: qemu > > Version: 1.1.2+dfsg-6a > > Severity: important > > Tags: security upstream > > > > Hi Debian QEMU team, > > > > the following vulnerability was published for qemu, choosed important > > severity but actually might be downgraded to normal. > > > > CVE-2014-7840[0]: > > insufficient parameter validation during ram load > > It is the same thing as #739589 (insufficient input validation during > state load) -- new and more exciting ways to exploit this are found > all the time... (I mean, it is another issue of the same sort, not > something which has already been fixed in debian). > > We decided we will not try to fix this in wheezy - either all of the > issues should be fixed or none, there's no reason to fix some but > ignore others. > > We also decided this is a not very important issue, because it only > happens when you allow untrusted parties to send you guest memory > state which is rather uncommon (see comments in that bugreport). This makes sense. > Yes it affects wheezy version, but it is wontfix for wheezy for the > above reason. And yes I'll fix it for jessie, the patch in question > has been applied to my local qemu git repository yesterday. Sure, also makes sense. I'm particulary interested in tracking issues in the security-tracker with appropriate cross-references to the BTS. I have marked it appropriately in the tracker. Thanks for your work! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
