18.04.2014 16:27, Adam D. Barratt wrote:
On 2014-04-18 12:54, Michael Tokarev wrote:
I've another security bugfix for qemu+qemu-kvm, CVE-2014-2894,
assigned today, see
https://lists.nongnu.org/archive/html/qemu-devel/2014-04/msg02016.html
The fix is also one-liner.
Maybe we can combine the two - this #742386 and CVE-2014-2894 - into
single pu?
Looking at the source for the 2.0.0 packages uploaded to unstable
yesterday, it looks like they contain the CVE fix? If so then the
security-tracker needs updating, as
https://security-tracker.debian.org/tracker/CVE-2014-2894 lists
unstable as vulnerable. If the security team don't plan to issue a DSA
for the issue (which I don't know if they've decided yet) then the
patch looks sane enough to include in the p-u.
Yes, 2.0.0 contains the (last-minute) fix.
And no, this fix is definitely worth a DSA.
So I'm uploading +deb7u2 to wheezy-pu as has been already agreed
before,
to catch the train to 7.5. With intention to fix CVE-2014-2894 later.