Maximilian Engelhardt
2023-Mar-29 21:27 UTC
[Pkg-xen-devel] Bug#1033676: unblock: xen/4.17.0+74-g3eac216e6e-1 (pre-approval)
Package: release.debian.org Severity: normal User: release.debian.org at packages.debian.org Usertags: unblock X-Debbugs-Cc: xen at packages.debian.org, maxi at daemonizer.de, team at security.debian.org Control: affects -1 + src:xen Please approve an upload of xen to unstable and later unblock package xen. See the "Other info" section below on why this is a pre-approval request. [ Reason ] Xen in bookworm (and unstable) is currently affected by CVE-2022-42331, CVE-2022-42332, CVE-2022-42333 and CVE-2022-42334 (see #1033297). [ Impact ] The above mentioned CVEs are not fixed. [ Tests ] The Debian package is based only on upstream commits that have passed the upstream automated tests. The Debian package has been successfully tested by the xen packaging team on their test machines. [ Risks ] There could be upstream changes unrelated to the above mentioned security fixes that cause regressions. However upstream has an automated testing machinery (osstest) that only allows a commit in the upstream stable branch if all test pass. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] This security fix is based on the latest upstream stable-4.17 branch. The branch in general only accepts bug fixes and does not allow new features, so the changes there are mainly security and other bug fixes. This does not exactly follow the "only targeted fixes" release policy, so we are asking for a pre-approval. The package we have prepared is exactly what we would have done as a security update in a stable release, what we have historically done together with the security team and are planning to continue to do. As upstream does extensive automated testing on their stable branches chances for unnoticed regressions are low. We believe this way the risk for bugs is lower than trying to manually pick and adjust patches without all the deep knowledge that upstream has. This approach is similar to what the linux package is doing. unblock xen/4.17.0+74-g3eac216e6e-1 Thanks -------------- next part -------------- A non-text attachment was scrubbed... Name: xen_4.17.0+74-g3eac216e6e-1.debdiff Type: text/x-patch Size: 60024 bytes Desc: not available URL: <http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20230329/9c2ae093/attachment-0001.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20230329/9c2ae093/attachment-0001.sig>