On 01/11/2014 07:27 AM, Guido Günther wrote: > Hi, > attached patches backport the fixes for CVE-2013-6458 to v0.9.12-maint. I > decided to cherry-pick the introduction of VIR_STRDUP and virReportError > as well to ease backporting of future fixes. I'd be happy about any review. Looks correct to me. I'll let you push to 0.9.12-maint since you already did that work; I already pushed to all the branches 0.10.2 and later. When porting to 0.10.2, I chose to just inline the call to strdup() instead of backporting VIR_STRDUP, for fewer patches but more conflict resolution; but either approach seems acceptable. Is anyone still using v0.9.11-maint? The CVE extends back to 0.9.8, so we could argue that we should either fix the 0.9.11 branch, or add another commit to the branch that explicitly marks it as end-of-life because no one appears to be relying on it. Fedora 18 is now end-of-life, so from Fedora's perspective, I only care about 0.10.2 (RHEL and CentOS 6), 1.0.5 (F19), 1.1.3 (F20) and soon 1.2.1 (rawhide), although I didn't mind touching all the intermediate branches on my way down to 0.10.2. RHEL 5 is also vulnerable to CVE-2013-6458, but as we don't have an upstream v0.8.2-maint branch (thank goodness!), that's something for Red Hat to worry about. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list