Dear Xen Maintainers The following CVEs(0,1) have been filled against xen. Could you please check, whether they affect any debian versions and how important they are? They are rather left over on our TODO list and I'd like to forward them to you for checking. CVE-2008-1944: Buffer overflow in the backend framebuffer of XenSource Xen Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows local users to cause a denial of service (SDL crash) and possibly execute arbitrary code via "bogus screen updates," related to missing validation of the "format of messages." CVE-2008-1943: Buffer overflow in the backend of XenSource Xen Para Virtualized Frame Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a crafted description of a shared framebuffer. Cheers Steffen (0): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1944 (1): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1943 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20080522/523e5fe4/attachment.pgp