Alex Vong <alexvong1995@gmail.com> writes:

> Severity: important
> Tags: security
>
> Hello,
>
> This fixes a bunch of CVEs which were left unfixed. Most of the patches
> are copied from the upstream git repo. Except one is copied from Xen
> Security Advisory.

Thanks for these, applied!

I took the liberty of removing the commit messages from the patches,
since we have the URLs anyway. It reduced the commit length by 31%.

[...]

> diff --git a/gnu/packages/patches/qemu-CVE-2017-10911.patch b/gnu/packages/patches/qemu-CVE-2017-10911.patch
> new file mode 100644
> index 000000000..fed3fb8ff
> --- /dev/null
> +++ b/gnu/packages/patches/qemu-CVE-2017-10911.patch
> @@ -0,0 +1,123 @@
> +Fix CVE-2017-10911:
> +
> +https://xenbits.xen.org/xsa/advisory-216.html
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10911
> +https://security-tracker.debian.org/tracker/CVE-2017-10911
> +
> +Patch copied from Xen Security Advisory:
> +
> +https://xenbits.xen.org/xsa/xsa216-qemuu.patch

Apparently this patch has been pulled by one of the qemu developers, but
is not on any branches on git.qemu.org:

https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg06662.html

I wonder what's up with that.