search for: predisclosure

We just sent the message below to the security advisory predisclosure list, relating to the release of XSA-26 to XSA-32. As you will see, these have now been publicly released. We''ll have a proper conversation about this in a week or two. Thanks for your attention, Ian. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We regret to announce that a member of...

...permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Deployment of the mitigation by enabling stubdomains is NOT permitted (except on systems used and administered only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because this configuration change may be visible to the guest. Also, distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deplo...

...anks, Ian. Changes from the previous draft: * The pre-disclosure list will get copies of public advisories and updated advisories, not just embargoed ones. * The list of entities on the pre-disclosure list will be made public. We should probably warn the existing members of the predisclosure list that the fact that their organisation is on the list will be published and give them a chance to object or withdraw, so we will publish the actual list when the policy comes into force rather than right away. I don''t expect any of the members to object. We''r...

...9;s xen.dsc doesn't built with sid's gcc. I will file a bug about this. So I have done an binaryful upload to stretch-security now. Also, I have access via my Xen Project Security Team hat to the patches for the predisclosed advisories 231..234 and since Debian is also on the Xen Project predisclosure list I think it is proper for me with my Debian hat to start work on the packages for those. The release date is 2017-09-12 12:00. See https://xenbits.xen.org/xsa/ Regards, Ian. -- Ian Jackson <ijackson at chiark.greenend.org.uk> These opinions are my own. If I emailed you from an add...

...- was wondering what should be the procedure for involving volunteers for that? Initially it was recommended that they agree to the security disclosure (http://www.xenproject.org/security-policy.html) and will agree to use by default the "Two working weeks between issue of our advisory to our predisclosure list and publication." But I am not sure who should have the power to veto/accept volunteers? Should security@Xen.org do that? Or should folks at Xen Devel mailing list be involved in it as well? Should that security disclosure be used for that as well? Ideas? Thank you.

...able release process. Security updates ================ Guido asked if security updates could go back further. Currently we go to 4.2, but Debian Wheezy has Xen 4.1. The security team don't currently have the effort to go further, but have recently introduced a private discussion list where predisclosure members are encouraged to exchange their own backports. Guido is not on global team at security.debian. We suggested he discuss with the Debian security team switching to a xen specific alias including team@ + relevant package maintainers. Release schedule vs. migration N=>N+1 support ========...