Thanks Dan. In earlier discussion with the QEMU developers, it wasn't clear whether they considered that behavior an actual security vulnerability or just a bug worth fixing, what their priority might be for backporting it to older QEMU releases, and what sort of timeframe we'd be looking at for downstream GNU/Linux LTS server distros to get those fixes into their respective packages. If they're just going to publicly announce there's a fix upstream in master and expect distros to eventually pick it up, that leaves many of our users in an unfortunate situation for a while, so being able to filter problem images without relying on calls to `qemu-img info` still sounds like the safer choice in the interim.
Thanks Dan. In earlier discussion with the QEMU developers, it wasn't clear whether they considered that behavior an actual security vulnerability or just a bug worth fixing, what their priority might be for backporting it to older QEMU releases, and what sort of timeframe we'd be looking at for downstream GNU/Linux LTS server distros to get those fixes into their respective packages. If they're just going to publicly announce there's a fix upstream in master and expect distros to eventually pick it up, that leaves many of our users in an unfortunate situation for a while, so being able to filter problem images without relying on calls to `qemu-img info` still sounds like the safer choice in the interim.