Pkg xen devel - May 2015 - CVE-2015-3456 / XSA-133 / "Venom" @ Debian Xen

Hello Debian Xen team,


I have two questions regarding Xen vulnerability CVE-2015-3456 / XSA-133
/ "Venom" in Debian [1]:

 * I noticed that [1] says 4.4.1-9 not to be vulnerable ("fixed")
   but according to the Debian Changelog [2] 4.4.1-9 appeared
   in Debian before XSA-133 was published and
   xen_4.4.1-9.debian.tar.xz [3] does not seem to contain
   any XSA-133 patch.  Could you elaborate why 4.4.1-9 is not affected?

 * [1] also says that latest 4.1.4-3+deb7u5 of wheezy security
   is vulnerable.  Patch xsa133-qemut.patch (with "t") [4] seems to
   apply cleanly.  Are there plans to roll an update for wheezy
   security?

Best,



Sebastian


[1] https://security-tracker.debian.org/tracker/CVE-2015-3456
[2]
http://metadata.ftp-master.debian.org/changelogs//main/x/xen/xen_4.4.1-9_changelog
[3] http://http.debian.net/debian/pool/main/x/xen/xen_4.4.1-9.debian.tar.xz
[4] http://xenbits.xen.org/xsa/xsa133-qemut.patch

On 15/05/2015 09:41, Sebastian Pipping wrote:
>   * I noticed that [1] says 4.4.1-9 not to be vulnerable
("fixed")
>     but according to the Debian Changelog [2] 4.4.1-9 appeared
>     in Debian before XSA-133 was published and
>     xen_4.4.1-9.debian.tar.xz [3] does not seem to contain
>     any XSA-133 patch.  Could you elaborate why 4.4.1-9 is not affected?
This would be because the debian packages don't bundle 
qemu-xen-traditional in Jessie - so there's no vulnerable binary in the 
xen packages.

Xen uses upstream qemu on Jessie - so that's what needs to be updated 
for this bug.

-- 
Thomas Jepp
reg at tomjepp.co.uk

Thanks for the explanation!


Sebastian