|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] RFC v2: Scope of Vulnerabilities for which XSAs are issued
>>> On 14.02.17 at 18:25, <george.dunlap@xxxxxxxxxx> wrote: > 4. The security team will only issue an advisory if there is a known > combination of software in which the vulnerability can be exploited. Considering the following text, perhaps "may" would end up a little less strict here than "can"? Or add "possibly"? Everything else looks good to me now, fwiw. Jan > In most cases, the software which contains the bug is also the target > of the attack: that is, a bug in Xen allows an unprivileged user to > crash Xen, a bug in QEMU allows an unprivileged user to escalate its > privileges to that of the QEMU process. In these cases "using Xen" or > "using QEMU" imples "being vunlerable". But this is not always so: > for instance, a bug in the Xen instruction emulator might allow a > guest user to attack the guest kernel, *if* the guest kernel behaves > in a certain way, but not if it behaves in other ways. > > In such a case, the Xen Security Team will pro-actively investigate > the vulnerability of the following open-source operating systems: > Linux, OpenBSD, FreeBSD, and NetBSD. The security team will also make > an effort to investigate the vulnerability of Microsoft Windows. If > we are reasonably certain that none of these operating systems are > vulnerable, and there are no other operating systems known to be > vulnerable, then no advisory will be issued. > > (An example of this scenario is XSA-176: There was a bug in the > handling of the pagetable PS bits for L3 and L4; but no known > operating systems were vulnerable to an exploit as a result of the > bug. Under these guidelines, XSA-176 would not have been issued.) _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |