On Fri, Nov 30, 2018 at 02:48:19PM +0530, P J P wrote:
> +-- On Thu, 29 Nov 2018, Eric Blake wrote --+
> | How important is this for 3.1? We've missed -rc3. Is this CVE quality
> | because of a guest being able to cause mayhem by intentionally getting into
> | this condition (in which case, we need it, as well as a CVE assigned)? Is it
> | pre-existing in 3.0 at which point waiting for 4.0 is no worse off than what
> | we already are?
>
> It is a revised patch to fix 'CVE-2018-17963' issue. Earlier patch was
> included in -rc0.
>
> $ git tag --contains 1592a9947036d60dde5404204a5d45975133caf5
> v3.1.0-rc0
> v3.1.0-rc1
> v3.1.0-rc2
> v3.1.0-rc3
If we've already tried to fix CVE-2018-17963 in 3.1.0 and failed to address
some edge cases, then it would be really desirable to get this into 3.1.0
too. If we waited until 4.0.0, then we'd need to consider it to be a new
CVE on the grounds that 3.1.0 released a flawed fix.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|