Pkg xen devel - May 2019 - Bug#929129: Xen Hypervisor security update for Intel MDS - XSA 297

Package: xen-hypervisor-4.8-amd64
Version: 4.8.5+shim4.10.2+xsa282-1+deb9u11

All Xen Hypervisor packages also need patches against the Intel MDS bug,
same as https://www.debian.org/security/2019/dsa-4444.

http://xenbits.xen.org/xsa/advisory-297.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20190517/b4143c26/attachment.html>

Hi,

On 5/17/19 5:21 PM, Wiebe Cazemier wrote:
> Package: xen-hypervisor-4.8-amd64
> Version: 4.8.5+shim4.10.2+xsa282-1+deb9u11
> 
> All Xen Hypervisor packages also need patches against the Intel MDS bug,
> same as https://www.debian.org/security/2019/dsa-4444. 
> 
> http://xenbits.xen.org/xsa/advisory-297.html
Yes, they do.

For Xen 4.8 and 4.11, we're currently waiting for the related changes in
the upstream code branches to complete the regular test process at Xen
(compile, run on all different hardware etc).

Only at the moment that the advisary is published, the patches are
committed to the public development branches. After that, the tests do
more rigorous regression testing than the developer writing them could
do. We tend to wait for this to succeed. E.g. as part of the packaging
team, I can test that the result boots on amd64, but I have no idea
myself if it also runs on arm etc.

If you're desperately in need for an intermediate version, and you're
able to build debian packages yourself, then I can point you at
something that I'm running myself now.

Regards,
Hans

On Sat, 18 May 2019 at 12:18, Hans van Kranenburg <hans at knorrie.org>
wrote:
> Hi,
>
> On 5/17/19 5:21 PM, Wiebe Cazemier wrote:
> > Package: xen-hypervisor-4.8-amd64
> > Version: 4.8.5+shim4.10.2+xsa282-1+deb9u11
> >
> > All Xen Hypervisor packages also need patches against the Intel MDS
bug,
> > same as https://www.debian.org/security/2019/dsa-4444.
> >
> > http://xenbits.xen.org/xsa/advisory-297.html
>
> Yes, they do.
>
> For Xen 4.8 and 4.11, we're currently waiting for the related changes
in
> the upstream code branches to complete the regular test process at Xen
> (compile, run on all different hardware etc).
>
> Only at the moment that the advisary is published, the patches are
> committed to the public development branches. After that, the tests do
> more rigorous regression testing than the developer writing them could
> do. We tend to wait for this to succeed. E.g. as part of the packaging
> team, I can test that the result boots on amd64, but I have no idea
> myself if it also runs on arm etc.
>
> If you're desperately in need for an intermediate version, and
you're
> able to build debian packages yourself, then I can point you at
> something that I'm running myself now.
>
> Regards,
> Hans
>
No rush in that sense. The bugreport was precipitated by the lack of any
mention of Xen in Ubuntu's en Debian's security announcements, while
Qemu
and libvirt were.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20190519/ae12d266/attachment.html>

Your message dated Wed, 19 Jun 2019 13:20:09 +0000
with message-id <E1hdaVV-0009lv-Ew at fasolo.debian.org>
and subject line Bug#929129: fixed in xen 4.11.1+92-g6c33308a8d-1
has caused the Debian Bug report #929129,
regarding Xen Hypervisor security update for Intel MDS - XSA 297
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
929129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929129
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Wiebe Cazemier <wiebe at ytec.nl>
Subject: Xen Hypervisor security update for Intel MDS - XSA 297
Date: Fri, 17 May 2019 17:21:31 +0200
Size: 4158
URL:
<http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20190619/dceefd3a/attachment-0002.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: Hans van Kranenburg <hans at knorrie.org>
Subject: Bug#929129: fixed in xen 4.11.1+92-g6c33308a8d-1
Date: Wed, 19 Jun 2019 13:20:09 +0000
Size: 18091
URL:
<http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20190619/dceefd3a/attachment-0003.mht>

This is an update to the unstable release. What is one running Debian
stable (9), with Xen Hypervisor 4.8, to do?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20190619/f06b8c23/attachment-0001.html>

On 6/19/19 4:43 PM, Wiebe Cazemier wrote:
> This is an update to the unstable release. What is one running Debian
> stable (9), with Xen Hypervisor 4.8, to do?
This is not meant as a middle finger to users of stable.

All of the bug numbers will be closed twice, also by the 4.8 upload,
which also has to mention them. This is confusing, however the automated
behaviour after uploading any of them is to close the bug with that report.

At least the 4.11 is out now, last thing I heard about 4.8 was that
there are issues compiling the current 4.8-stable upstream branch in
Stretch, and that's quite an important prerequisite for continuing. :|
Ian needs to work on that.

I will see if I can manipulate them a bit. All the other ones mentioned
in the changelog should also have the info that it's found in current
version in stable attached to them, so that the version graph shows both.

Hans