Wolodja Wentland
2018-Aug-15 18:23 UTC
[Pkg-xen-devel] Xen Security Update - XSA-{268,269,272,273}
Dear Security Team, I have prepared a new upload addressing a number of open security issues in Xen. Due to the complexity of the patches that address XSA-273 [0] the packages have been built from upstream's staging-4.8 / staging-4.10 branch again as recommended in that advisory. Commits on those branches are restricted to those that address the following XSAs (cf. [1]): - XSA-273 (CVE-2018-3620, CVE-2018-3646) - XSA-272 (no CVE yet) - XSA-269 (no CVE yet) - XSA-268 (no CVE yet) In addition to the XSAs mentioned above that will be addressed by the upcoming upload (i.e. 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10) security updates that address XSA-270 [2] have been released that need to be included in the kernel packaging. Linux version 4.7 and onwards are affected by this. [0] https://xenbits.xen.org/xsa/advisory-273.html [1] https://xenbits.xen.org/xsa/ [2] https://xenbits.xen.org/xsa/advisory-270.html -- Wolodja <debian at babilen5.org> 4096R/CAF14EFC 081C B7CD FF04 2BA9 94EA 36B2 8B7F 7D30 CAF1 4EFC
Wolodja Wentland
2018-Aug-15 18:30 UTC
[Pkg-xen-devel] Xen Security Update - XSA-{268,269,272,273}
Dear Ben, Wolodja Wentland <debian at babilen5.org> writes: Unfortunately the mail below was sent to an incorrect address and would not have reached you.> I have prepared a new upload addressing a number of open security > issues in Xen. > > Due to the complexity of the patches that address XSA-273 [0] the > packages have been built from upstream's staging-4.8 / staging-4.10 > branch again as recommended in that advisory. Commits on those branches > are restricted to those that address the following XSAs (cf. [1]): > > - XSA-273 (CVE-2018-3620, CVE-2018-3646) > - XSA-272 (no CVE yet) > - XSA-269 (no CVE yet) > - XSA-268 (no CVE yet) > > In addition to the XSAs mentioned above that will be addressed by the > upcoming upload (i.e. 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10) > security updates that address XSA-270 [2] have been released that need > to be included in the kernel packaging. Linux version 4.7 and onwards > are affected by this. > > [0] https://xenbits.xen.org/xsa/advisory-273.html > [1] https://xenbits.xen.org/xsa/ > [2] https://xenbits.xen.org/xsa/advisory-270.html > -- > Wolodja <debian at babilen5.org> > > 4096R/CAF14EFC > 081C B7CD FF04 2BA9 94EA 36B2 8B7F 7D30 CAF1 4EFC-- Wolodja <debian at babilen5.org> 4096R/CAF14EFC 081C B7CD FF04 2BA9 94EA 36B2 8B7F 7D30 CAF1 4EFC
Wolodja Wentland
2018-Aug-15 18:31 UTC
[Pkg-xen-devel] Xen Security Update - XSA-{268,269,272,273}
Dear Ben, Wolodja Wentland <debian at babilen5.org> writes: Unfortunately the mail below was sent to an incorrect address and would not have reached you.> I have prepared a new upload addressing a number of open security > issues in Xen. > > Due to the complexity of the patches that address XSA-273 [0] the > packages have been built from upstream's staging-4.8 / staging-4.10 > branch again as recommended in that advisory. Commits on those branches > are restricted to those that address the following XSAs (cf. [1]): > > - XSA-273 (CVE-2018-3620, CVE-2018-3646) > - XSA-272 (no CVE yet) > - XSA-269 (no CVE yet) > - XSA-268 (no CVE yet) > > In addition to the XSAs mentioned above that will be addressed by the > upcoming upload (i.e. 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10) > security updates that address XSA-270 [2] have been released that need > to be included in the kernel packaging. Linux version 4.7 and onwards > are affected by this. > > [0] https://xenbits.xen.org/xsa/advisory-273.html > [1] https://xenbits.xen.org/xsa/ > [2] https://xenbits.xen.org/xsa/advisory-270.html > -- > Wolodja <debian at babilen5.org> > > 4096R/CAF14EFC > 081C B7CD FF04 2BA9 94EA 36B2 8B7F 7D30 CAF1 4EFC-- Wolodja <debian at babilen5.org> 4096R/CAF14EFC 081C B7CD FF04 2BA9 94EA 36B2 8B7F 7D30 CAF1 4EFC
Wolodja Wentland
2018-Aug-15 18:34 UTC
[Pkg-xen-devel] Xen Security Update - XSA-{268,269,272,273}
Dear Ben, Wolodja Wentland <debian at babilen5.org> writes: Unfortunately the mail below was sent to an incorrect address and would not have reached you.> I have prepared a new upload addressing a number of open security > issues in Xen. > > Due to the complexity of the patches that address XSA-273 [0] the > packages have been built from upstream's staging-4.8 / staging-4.10 > branch again as recommended in that advisory. Commits on those branches > are restricted to those that address the following XSAs (cf. [1]): > > - XSA-273 (CVE-2018-3620, CVE-2018-3646) > - XSA-272 (no CVE yet) > - XSA-269 (no CVE yet) > - XSA-268 (no CVE yet) > > In addition to the XSAs mentioned above that will be addressed by the > upcoming upload (i.e. 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10) > security updates that address XSA-270 [2] have been released that need > to be included in the kernel packaging. Linux version 4.7 and onwards > are affected by this. > > [0] https://xenbits.xen.org/xsa/advisory-273.html > [1] https://xenbits.xen.org/xsa/ > [2] https://xenbits.xen.org/xsa/advisory-270.html > -- > Wolodja <debian at babilen5.org> > > 4096R/CAF14EFC > 081C B7CD FF04 2BA9 94EA 36B2 8B7F 7D30 CAF1 4EFC-- Wolodja <debian at babilen5.org> 4096R/CAF14EFC 081C B7CD FF04 2BA9 94EA 36B2 8B7F 7D30 CAF1 4EFC
Wolodja Wentland
2018-Aug-15 18:53 UTC
[Pkg-xen-devel] Xen Security Update - XSA-{268,269,272,273}
Dear Ben, Wolodja Wentland <debian at babilen5.org> writes: Unfortunately the mail below was sent to an incorrect address and would not have reached you.> I have prepared a new upload addressing a number of open security > issues in Xen. > > Due to the complexity of the patches that address XSA-273 [0] the > packages have been built from upstream's staging-4.8 / staging-4.10 > branch again as recommended in that advisory. Commits on those branches > are restricted to those that address the following XSAs (cf. [1]): > > - XSA-273 (CVE-2018-3620, CVE-2018-3646) > - XSA-272 (no CVE yet) > - XSA-269 (no CVE yet) > - XSA-268 (no CVE yet) > > In addition to the XSAs mentioned above that will be addressed by the > upcoming upload (i.e. 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10) > security updates that address XSA-270 [2] have been released that need > to be included in the kernel packaging. Linux version 4.7 and onwards > are affected by this. > > [0] https://xenbits.xen.org/xsa/advisory-273.html > [1] https://xenbits.xen.org/xsa/ > [2] https://xenbits.xen.org/xsa/advisory-270.html > -- > Wolodja <debian at babilen5.org> > > 4096R/CAF14EFC > 081C B7CD FF04 2BA9 94EA 36B2 8B7F 7D30 CAF1 4EFC-- Wolodja <debian at babilen5.org> 4096R/CAF14EFC 081C B7CD FF04 2BA9 94EA 36B2 8B7F 7D30 CAF1 4EFC
Ian Jackson
2018-Aug-15 22:20 UTC
[Pkg-xen-devel] Xen Security Update - XSA-{268,269,272,273}
Thanks for doing all the hard work. Can you confirm exactly which git commitid you tested ? Was it 522f2f393509f22188945108d776b7a9abbd9e30 ? I ask because I thought you said you were going to fiddle with the changelog, and my just-done git-fetch salsa-security didn't get any updates. That makes me think maybe you forgot to push and that I might not have the right code. I want to make sure that what I upload is what was tested. (modulo changelog finalisation, etc.) Regards, Ian. -- Ian Jackson <ijackson at chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
Ben Hutchings
2018-Aug-16 11:35 UTC
[Pkg-xen-devel] Xen Security Update - XSA-{268,269,272,273}
On Wed, 2018-08-15 at 19:34 +0100, Wolodja Wentland wrote:> Dear Ben, > > Wolodja Wentland <debian at babilen5.org> writes: > > Unfortunately the mail below was sent to an incorrect address and would > not have reached you.Thanks. [...]> > In addition to the XSAs mentioned above that will be addressed by the > > upcoming upload (i.e. 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10) > > security updates that address XSA-270 [2] have been released that need > > to be included in the kernel packaging. Linux version 4.7 and onwards > > are affected by this.This issue has already been added to the kernel-sec repository so it's on our to-do list. Ben. -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: <http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20180816/ee3f1119/attachment.sig>