On Fri, Mar 15, 2013 at 10:17:29AM +0100, Guido Günther wrote: > On Fri, Mar 15, 2013 at 08:15:15AM +0100, Yves-Alexis Perez wrote: > > On sam., 2013-03-09 at 19:54 +0100, Guido Günther wrote: > > > Hi, > > > sorry for the delay but attached is the diff for the stable update. > > > This > > > addrsses #701649 (CVE-2013-1766) as well as #699224 (kind of > > > CVE-2013-0170). Is this enough for the security team to issue the DSA? > > > Let me know if I can help further. > > > > Just a comment. Does the package still need to create/remove the kvm > > group? Shouldn't only the kvm package do that? > > I think so. We need to put the user in that group to access /dev/kvm. > We could use a trigger but that would certainly be more fragile. > > > What about the permissions on devices (there's something abou tit on the > > bug report)? > > Devices will be changed to libvirt-qemu:libvirt-qemu when accessed to > make sure the process has the necessary permission.
Permissions of disks are currently set to 0600. -- Guido > Cheers, > -- Guido -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
