Ian Jackson
2017-May-04 16:06 UTC
[Pkg-xen-devel] Xen package security updates for jessie 4.4, XSA-213, XSA-214
Ian Jackson writes ("64bit PV guest breakout
[XSA-213]"):> Source: xen
> Version: 4.4.1-9
> Severity: important
> Tags: security upstream fixed-upstream
>
> See
> https://xenbits.xen.org/xsa/advisory-213.html
Ian Jackson writes ("grant transfer allows PV guest to elevate privileges
[XSA-214]"):> Source: xen
> Version: 4.4.1-9
> Severity: important
> Tags: security upstream fixed-upstream
>
> See
> https://xenbits.xen.org/xsa/advisory-214.html
I have fixed these in stretch but the jessie package remains unfixed.
I think I may be able to find some backports somewhere. Would that be
useful ? Is anyone else working on this ?
Ian.
Moritz Muehlenhoff
2017-May-04 16:51 UTC
[Pkg-xen-devel] Bug#861660: Xen package security updates for jessie 4.4, XSA-213, XSA-214
On Thu, May 04, 2017 at 05:06:07PM +0100, Ian Jackson wrote:> Ian Jackson writes ("64bit PV guest breakout [XSA-213]"): > > Source: xen > > Version: 4.4.1-9 > > Severity: important > > Tags: security upstream fixed-upstream > > > > See > > https://xenbits.xen.org/xsa/advisory-213.html > > Ian Jackson writes ("grant transfer allows PV guest to elevate privileges [XSA-214]"): > > Source: xen > > Version: 4.4.1-9 > > Severity: important > > Tags: security upstream fixed-upstream > > > > See > > https://xenbits.xen.org/xsa/advisory-214.html > > I have fixed these in stretch but the jessie package remains unfixed. > I think I may be able to find some backports somewhere. Would that be > useful ? Is anyone else working on this ?Yes, please! Cheers, Moritz
Ian Jackson
2017-May-04 16:59 UTC
[Pkg-xen-devel] Bug#861660: Xen package security updates for jessie 4.4, XSA-213, XSA-214
Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie
4.4, XSA-213, XSA-214"):> On Thu, May 04, 2017 at 05:06:07PM +0100, Ian Jackson wrote:
> > I have fixed these in stretch but the jessie package remains unfixed.
> > I think I may be able to find some backports somewhere. Would that be
> > useful ? Is anyone else working on this ?
>
> Yes, please!
Working on it now. What shall I do with my resulting package ?
Should I put jessie-security in the debian/changelog and dgit push it
(ie, from many people's pov, dput it) ?
Ian.
Apparently Analagous Threads
- Bug#861660: Xen package security updates for jessie 4.4, XSA-213, XSA-214
- Bug#861660: Xen package security updates for jessie 4.4, XSA-213, XSA-214
- Xen package security updates for jessie 4.4, XSA-213, XSA-214
- Bug#859560: xen: CVE-2017-7228: x86: broken check in memory_exchange() permits PV guest breakout (XSA-212)
- Updated Xen packages for XSA 216..225