OpenXT stable-9 uses QEMU 3.1.0 release. Review changes between 3.1.0 and 4.0.0 (latest QEMU release at the time of this ticket) and identify security changes that would require backport.
Discussed during community call on 06/10/2019.
Search in the change history reveals two CVEs:
Not used in OpenXT (usb-mtp).
hw/ppc/spapr.c emulation only
Not used in OpenXT.
Confirmed with that no CVEs are needed for QEMU as OpenXT does not utilize any of the associated features. reviewed the potential CVEs for edk2 (specifically for OVMF) and did not find anything either. Closing.