[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security update needed for spice
From: |
Mark H Weaver |
Subject: |
Security update needed for spice |
Date: |
Mon, 22 Aug 2016 00:09:18 -0400 |
Hi David,
There are two high-severity security flaws in spice that are apparently
fixed in spice-0.12.8: CVE-2016-0749 and CVE-2016-2150
https://lwn.net/Articles/697698/
https://bugzilla.redhat.com/show_bug.cgi?id=1343135
https://bugzilla.redhat.com/show_bug.cgi?id=1343137
While investigating, I noticed that we're using a "development release"
of spice (0.13.x) instead of a "stable release" (0.12.x):
http://www.spice-space.org/download.html#stable-release
We should probably be using the stable release. What do you think?
Anyway, would you be willing to handle this security update, by
switching Guix to a version of spice that's not vulnerable?
The summary line could end with "[fixes CVE-2016-{0749,2150}]."
Thanks for your contributions.
Mark
- Security update needed for spice,
Mark H Weaver <=