Control: fixed -1 4.8.0~rc3-0exp1 Control: fixed -1 4.8.0~rc3-1 Control: fixed -1 4.8.0~rc5-1
This is XSA-200. Xen 4.8 and later is not vulnerable. The Debian stable branches still need to be fixed. (I hope this mail will be enough to update the status of sid/stretch in https://security-tracker.debian.org.) Ian.
