Sebastian Pipping
2015-May-15 08:41 UTC
[Pkg-xen-devel] CVE-2015-3456 / XSA-133 / "Venom" @ Debian Xen
Hello Debian Xen team, I have two questions regarding Xen vulnerability CVE-2015-3456 / XSA-133 / "Venom" in Debian [1]: * I noticed that [1] says 4.4.1-9 not to be vulnerable ("fixed") but according to the Debian Changelog [2] 4.4.1-9 appeared in Debian before XSA-133 was published and xen_4.4.1-9.debian.tar.xz [3] does not seem to contain any XSA-133 patch. Could you elaborate why 4.4.1-9 is not affected? * [1] also says that latest 4.1.4-3+deb7u5 of wheezy security is vulnerable. Patch xsa133-qemut.patch (with "t") [4] seems to apply cleanly. Are there plans to roll an update for wheezy security? Best, Sebastian [1] https://security-tracker.debian.org/tracker/CVE-2015-3456 [2] http://metadata.ftp-master.debian.org/changelogs//main/x/xen/xen_4.4.1-9_changelog [3] http://http.debian.net/debian/pool/main/x/xen/xen_4.4.1-9.debian.tar.xz [4] http://xenbits.xen.org/xsa/xsa133-qemut.patch
Thomas Jepp
2015-May-15 09:07 UTC
[Pkg-xen-devel] CVE-2015-3456 / XSA-133 / "Venom" @ Debian Xen
On 15/05/2015 09:41, Sebastian Pipping wrote:> * I noticed that [1] says 4.4.1-9 not to be vulnerable ("fixed") > but according to the Debian Changelog [2] 4.4.1-9 appeared > in Debian before XSA-133 was published and > xen_4.4.1-9.debian.tar.xz [3] does not seem to contain > any XSA-133 patch. Could you elaborate why 4.4.1-9 is not affected?This would be because the debian packages don't bundle qemu-xen-traditional in Jessie - so there's no vulnerable binary in the xen packages. Xen uses upstream qemu on Jessie - so that's what needs to be updated for this bug. -- Thomas Jepp reg at tomjepp.co.uk
Seemingly Similar Threads
- CVE-2015-3456 / XSA-133 / "Venom" @ Debian Xen
- xen_4.4.1-9+deb8u3_amd64.changes ACCEPTED into proposed-updates->stable-new
- xen_4.4.1-9+deb8u3_amd64.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
- xen_4.4.1-5_amd64.changes ACCEPTED into unstable
- xen_4.4.1-9+deb8u1_amd64.changes ACCEPTED into proposed-updates->stable-new