Xen devel - Jun 2012 - Recent CVE

Hi Everyone,

According to this CVE:

http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html

The patch has been added to xen-3.4-testing.hg. However, when I look here:

http://xenbits.xen.org/hg/xen-3.4-testing.hg/

I don''t see any recent commits.

Am I missing something? I feel it is very important that these patches 
make its way into this branch, and tagged as 3.4.5 ASAP :)

Thanks

Jonathan Tripathy wrote:
> Hi Everyone,
>
> According to this CVE:
>
> http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html
>
> The patch has been added to xen-3.4-testing.hg. However, when I look here:
>
> http://xenbits.xen.org/hg/xen-3.4-testing.hg/
It''s still in staging:

http://xenbits.xen.org/hg/staging/xen-3.4-testing.hg/
>
> I don''t see any recent commits.
>
> Am I missing something? I feel it is very important that these patches
> make its way into this branch, and tagged as 3.4.5 ASAP :)
Not sure why they haven''t made it to the repos. I''m Ccing Ian
Jackson
about this.

On 14/06/2012 11:56, Roger Pau Monne wrote:
> Jonathan Tripathy wrote:
>> Hi Everyone,
>>
>> According to this CVE:
>>
>> http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html
>>
>> The patch has been added to xen-3.4-testing.hg. However, when I look 
>> here:
>>
>> http://xenbits.xen.org/hg/xen-3.4-testing.hg/
>
> It''s still in staging:
>
> http://xenbits.xen.org/hg/staging/xen-3.4-testing.hg/
>
>>
>> I don''t see any recent commits.
>>
>> Am I missing something? I feel it is very important that these patches
>> make its way into this branch, and tagged as 3.4.5 ASAP :)
>
> Not sure why they haven''t made it to the repos. I''m Ccing
Ian Jackson
> about this.
>
>
Let''s also not forget the following CVEs which don''t seem to
be
backported yet:

CVE-2011-2901
CVE-2011-1898
CVE-2012-0029
CVE-2011-1166

Thanks

Roger Pau Monne writes ("Re: [Xen-devel] Recent
CVE"):
> Jonathan Tripathy wrote:
> > Hi Everyone,
> >
> > According to this CVE:
> >
> > http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html
> >
> > The patch has been added to xen-3.4-testing.hg. However, when I look
here:
> >
> > http://xenbits.xen.org/hg/xen-3.4-testing.hg/
> 
> It''s still in staging:
> 
> http://xenbits.xen.org/hg/staging/xen-3.4-testing.hg/
...
> Not sure why they haven''t made it to the repos. I''m Ccing
Ian Jackson
> about this.
The 3.4 tree doesn''t have an automatic push from staging to main.
(The testing software we are using postdates 3.4.)

Looking at the repos, it seems that Keith has been using the main
tree, not staging.  But I pushed the security changes to staging.

Keith, can you say what should be done now ?  I think the best thing
would probably be to hg merge staging into main; there are only those
two security fix commits in staging.

And then we should probably delete the staging tree entirely.

Thanks,
Ian.

>>> On 14.06.12 at 13:13, Ian Jackson <Ian.Jackson@eu.citrix.com>
wrote:
> And then we should probably delete the staging tree entirely.
Along with all other 3.* staging ones perhaps...

Jan

On Thu, Jun 14, 2012 at 7:44 AM, Jan Beulich <JBeulich@suse.com>
wrote:
>>>> On 14.06.12 at 13:13, Ian Jackson
<Ian.Jackson@eu.citrix.com> wrote:
>> And then we should probably delete the staging tree entirely.
>
> Along with all other 3.* staging ones perhaps...
>
The changes have now been pushed to the main tree. I agree that we
should remove the 3.* staging trees.


--
Keith Coleman

Keith Coleman writes ("Re: [Xen-devel] Recent
CVE"):
> On Thu, Jun 14, 2012 at 7:44 AM, Jan Beulich <JBeulich@suse.com>
wrote:
> >>>> On 14.06.12 at 13:13, Ian Jackson
<Ian.Jackson@eu.citrix.com> wrote:
> >> And then we should probably delete the staging tree entirely.
> >
> > Along with all other 3.* staging ones perhaps...
> 
> The changes have now been pushed to the main tree. I agree that we
> should remove the 3.* staging trees.
I have done this.  Well, moved them to ~xen/HG/staging/old in case we
need them for something.

Ian.