Stretch vulnerability?

[Johen Scott]

Stretch on broadband behind router. Stretch running virtualbox. XP VM client not running browser just samba w lan peers.
Stretch patched w up to date security. XP visible outside lan?

[CwF]

No problem as far as I see.

[kopper]

Though you didn't ask this, while XP might not be visible from outside of LAN, anything that can access or pivot from something else in the LAN is a risk. So just acknowledge that if something else is compromised in your local network, XP most likely is the next step.

And of course, any device compromised with e.g. self-propagating or RAT malware puts XP automatically #1 as a target. Ironically, last year's WannaCry wasn't as effective against XP compared to more recent Windows versions. On the other hand, lot of old and easy stuff hasn't been fixed and it's riddled with holes (I'm sure you're aware of it, hence the question) so that's only drop in the ocean.

Back to Linux. If you have external SSH access to LAN, web servers, etc., you should check those as well. Your XP server is with high confidence only as secure as everything else in your network.

[Johen Scott]

For fun, a scenario where a Debian Stretch or Jessie PC could be vulnerable through a web page?