similar to: Xen 4.1.4 release imminent?

Folks, I am pleased to announce the release of Xen 4.1.4. This is available immediately from its mercurial repository: http://xenbits.xen.org/xen-4.1-testing.hg (tag RELEASE-4.1.4) This fixes the following critical vulnerabilities: * CVE-2012-3494 / XSA-12: hypercall set_debugreg vulnerability * CVE-2012-3495 / XSA-13: hypercall physdev_get_free_pirq vulnerability * CVE-2012-3496 /

Dear Security Team, I have prepared a new upload addressing a number of open security issues in Xen. Due to the complexity of the patches that address XSA-273 [0] the packages have been built from upstream's staging-4.8 / staging-4.10 branch again as recommended in that advisory. Commits on those branches are restricted to those that address the following XSAs (cf. [1]): - XSA-273

Ian Jackson writes ("64bit PV guest breakout [XSA-213]"): > Source: xen > Version: 4.4.1-9 > Severity: important > Tags: security upstream fixed-upstream > > See > https://xenbits.xen.org/xsa/advisory-213.html Ian Jackson writes ("grant transfer allows PV guest to elevate privileges [XSA-214]"): > Source: xen > Version: 4.4.1-9 > Severity:

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > Yes, the distribution line should be jessie-security, but please send > a debdiff to team at security.debian.org for a quick review before > uploading (I have no idea whether dgit supports security-master). Here is the proposed debdiff (actually, a git diff) for xen in jessie. My

> -----Original Message----- > From: CentOS-virt [mailto:centos-virt-bounces at centos.org] On Behalf Of > Peter Peltonen > Sent: Thursday, January 18, 2018 11:19 AM > To: Discussion about the virtualization on CentOS <centos-virt at centos.org> > Subject: Re: [CentOS-virt] Xen 4.6.6-9 (with XPTI meltdown mitigation) > packages making their way to centos-virt-xen-testing

I've built & tagged packages for CentOS 6 and 7 4.6.6-9, with XPTI "stage 1" Meltdown mitigation. This will allow 64-bit PV guests to run safely (with a few caveats), but incurs a fairly significant slowdown for 64-bit PV guests on Intel boxes (including domain 0). If you prefer using Vixen / Comet, you can turn it off by adding 'xpti=0' to your Xen command-line.

Package: xen-hypervisor-4.1-amd64 Version: 4.1.4-3+deb7u4 Severity: critical Hi, Not sure how come I'm the first one to file this kind of a bug report :) but here goes JFTR... http://xenbits.xen.org/xsa/advisory-123.html was embargoed, but advance warning was given to several big Xen VM farms, which led to e.g. https://aws.amazon.com/premiumsupport/maintenance-2015-03/

Hi list, Are the recent Xen XSA's (199-204) updates going to be released soon? http://xenbits.xen.org/xsa/ -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-virt/attachments/20170102/575997f6/attachment.html>

It looks like no XSA-142 patch, which is "libxl fails to honour readonly flag on disks with qemu-xen" has been applied to Xen4CentOS. I assume this was on purpose? If not, I can have someone try adding the original patch from http://xenbits.xen.org/xsa/advisory-142.html and some variant of the commit from ef6cb76026628e26e3d1ae53c50ccde1c3c78b1b

Xen 4.4.4 along with kernel 4.9.44 containing patches for XSAs (226 - 230) from August 15th are now available in centos-virt-testing. If possible, please test and provide feedback here so we can move these to release soon. XSA-228 did not affect Xen 4.4 XSA-229 only applies to the kernel XSA-235 disclosed today only affects ARM and isn't going to be added to these packages. Thanks. --

Source: xen Version: 4.8.1~pre.2017.01.23-1 Severity: grave Tags: security upstream Justification: user security hole Hi, the following vulnerability was published for xen. CVE-2017-7228[0]: | An issue (known as XSA-212) was discovered in Xen, with fixes available | for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix | introduced an insufficient check on XENMEM_exchange input,

Hello Debian Xen team, I have two questions regarding Xen vulnerability CVE-2015-3456 / XSA-133 / "Venom" in Debian [1]: * I noticed that [1] says 4.4.1-9 not to be vulnerable ("fixed") but according to the Debian Changelog [2] 4.4.1-9 appeared in Debian before XSA-133 was published and xen_4.4.1-9.debian.tar.xz [3] does not seem to contain any XSA-133 patch.

Aiming at a release later in October (before Xen Summit I would hope), I''d like to cut RC1 next week. Please indicate any bug fixes that so far may have been missed in the backports already done. Jan

Source: xen Severity: important Tags: security Hi, please see http://xenbits.xen.org/xsa/advisory-116.html for details and a patch. Cheers, Moritz

On 01/02/2017 11:05 AM, Brandon Shoemaker wrote: > Hi list, > > > > Are the recent Xen XSA?s (199-204) updates going to be released soon? > > > > http://xenbits.xen.org/xsa/ They are in the testing repo .. waiting on feedback that they work. http://buildlogs.centos.org/centos/7/virt/ (or /6/ as well) -------------- next part -------------- A non-text

On 01/03/2017 02:29 AM, Johnny Hughes wrote: > On 01/02/2017 11:05 AM, Brandon Shoemaker wrote: >> Hi list, >> >> >> >> Are the recent Xen XSA?s (199-204) updates going to be released soon? >> >> >> >> http://xenbits.xen.org/xsa/ > > They are in the testing repo .. waiting on feedback that they work. > > >

Kevin has been rolling back the security updates to the 4.4 branch. He has been working with some of the other distros (debian for sure, and some others on the xen security list). I think it is his intention to continue this for as long as he is able to. (Kevin, chime in if you have a schedule lifetime or EOL in mind) As long as Kevin (or anyone else) maintains the tree, I am happy to build

I've got a first cut of the rebase here: git://github.com/gwd/sig-virt-xen out/update-4.4.1-rc1-ee81dda-RFC To build it, you'll need to download the polarssl tarball: http://xenbits.xen.org/xen-extfiles/polarssl-1.1.4-gpl.tgz And you'll need a tarball based on (unfortunately) a private tree, which you can find here: git://github.com/gwd/xen base/update-4.4.1-rc1-ee81dda-RFC This

Given the circumstances, might it make sense to offer formal advisories of some type for these to indicate when the packages going to live are for security or other reasons? On 02/17/2017 09:51 AM, Johnny Hughes wrote: > These updates have now been pushed to mirror.centos.org and you can get > them from the main repos. > > On 02/15/2017 08:27 AM, Johnny Hughes wrote: >> There

xen 4.6.1-5 has been build and should be available in buildlogs soon (available via the centos-virt-xen-testing repo). More information can be found here: http://xenbits.xen.org/xsa/advisory-172.html A signed copy should hit the mirrors tomorrow. Please report any problems on this list. Thanks, -George