Ask Your Question

Is there an Openstack patch for the Venom vuln? Do we need to patch qemu manually?

asked 2015-05-14 11:58:46 -0500

pangalactic gravatar image

Question posted kinda says it all... is there a patch or even an announcement of versions affected? This whas been out for more than 24 hours, and I don't see any response from Redhat has patches for it's version, but I'd like to see one from the source...

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2015-05-14 16:12:47 -0500

smaffulli gravatar image

Venom is not a vulnerability in OpenStack software, it's a vulnerability in some software commonly used alongside openstack. we aren't the ones who provide fixes for it.

Fixes come from the xen project, possibly by way of distributions packaging the software specifically in the form of patches to or patched versions of qemu.

There is a discussion going on the Operators mailing list that you may want to follow.

edit flag offensive delete link more


To clarify, you should obtain fixed versions of qemu from wherever you got your original versions of qemu. The OpenStack project doesn't write, maintain or distribute qemu itself.

fungi gravatar imagefungi ( 2015-05-14 17:22:04 -0500 )edit

answered 2015-05-14 18:01:03 -0500

lhinds gravatar image

updated 2015-05-14 18:07:00 -0500

You should go to the linux dist maintainer, as qemu (which hosts the exploit code) is part of the Linux kernel, and each distributor will package their own patch.

For example here is the fix in qemu's git repository;a=com...

And here is the fix packaged by redhat

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-05-14 11:58:46 -0500

Seen: 215 times

Last updated: May 14 '15