similar to: Xen package security updates for jessie 4.4, XSA-213, XSA-214

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > On Thu, May 04, 2017 at 05:59:18PM +0100, Ian Jackson wrote: > > Should I put jessie-security in the debian/changelog and dgit push it > > (ie, from many people's pov, dput it) ? > > Yes, the distribution line should be jessie-security, but please send > a

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > On Thu, May 04, 2017 at 05:06:07PM +0100, Ian Jackson wrote: > > I have fixed these in stretch but the jessie package remains unfixed. > > I think I may be able to find some backports somewhere. Would that be > > useful ? Is anyone else working on this ? > >

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > Yes, the distribution line should be jessie-security, but please send > a debdiff to team at security.debian.org for a quick review before > uploading (I have no idea whether dgit supports security-master). Here is the proposed debdiff (actually, a git diff) for xen in jessie. My

Source: xen Version: 4.8.1~pre.2017.01.23-1 Severity: grave Tags: security upstream Justification: user security hole Hi, the following vulnerability was published for xen. CVE-2017-7228[0]: | An issue (known as XSA-212) was discovered in Xen, with fixes available | for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix | introduced an insufficient check on XENMEM_exchange input,

Salvatore Bonaccorso writes ("Re: Updated Xen packages for XSA 216..225"): > On Tue, Jul 11, 2017 at 11:34:38PM +0200, Moritz Muehlenhoff wrote: > > On Mon, Jul 03, 2017 at 12:33:54PM +0100, Ian Jackson wrote: > > > Moritz M?hlenhoff writes ("Re: Updated Xen packages for XSA 216..225"): > > > > Sorry for the late reply, was on vacation for a week.

Package: xen-hypervisor-4.1-amd64 Version: 4.1.4-3+deb7u4 Severity: critical Hi, Not sure how come I'm the first one to file this kind of a bug report :) but here goes JFTR... http://xenbits.xen.org/xsa/advisory-123.html was embargoed, but advance warning was given to several big Xen VM farms, which led to e.g. https://aws.amazon.com/premiumsupport/maintenance-2015-03/

On Mon, Jul 03, 2017 at 12:33:54PM +0100, Ian Jackson wrote: > Moritz M?hlenhoff writes ("Re: Updated Xen packages for XSA 216..225"): > > Sorry for the late reply, was on vacation for a week. What's the status > > of jessie? Most of the XSAs seem to affect oldstable as well. > > Sorry, I forgot about them... > > I will see what I can do. Did you look

FYI I will have an upload ready RSN. Where should I send it ? Matthew Vernon has offered to test my amd64 binaries. I will test the i386 packages myself. Ian.

Moritz M?hlenhoff writes ("Re: Updated Xen packages for XSA 216..225"): > Since the queue was already quite big and this update was ready > I went ahead and released what we had for now. Yes, sorry, I should have been explicit that that's what I expected you to do... Ian.

Hello Debian Xen team, I have two questions regarding Xen vulnerability CVE-2015-3456 / XSA-133 / "Venom" in Debian [1]: * I noticed that [1] says 4.4.1-9 not to be vulnerable ("fixed") but according to the Debian Changelog [2] 4.4.1-9 appeared in Debian before XSA-133 was published and xen_4.4.1-9.debian.tar.xz [3] does not seem to contain any XSA-133 patch.

On Mon, Aug 07, 2017 at 01:15:56PM +0200, Moritz Muehlenhoff wrote: > On Mon, Jul 17, 2017 at 03:58:20PM +0100, Ian Jackson wrote: > > Salvatore Bonaccorso writes ("Re: Updated Xen packages for XSA 216..225"): > > > On Tue, Jul 11, 2017 at 11:34:38PM +0200, Moritz Muehlenhoff wrote: > > > > On Mon, Jul 03, 2017 at 12:33:54PM +0100, Ian Jackson wrote: >

Source: xen Version: 4.4.1-9 Severity: normal Tags: security upstream patch fixed-upstream Hi, the following vulnerability was published for xen. CVE-2015-3340[0]: | Xen 4.2.x through 4.5.x does not initialize certain fields, which | allows certain remote service domains to obtain sensitive information | from memory via a (1) XEN_DOMCTL_gettscinfo or (2) | XEN_SYSCTL_getdomaininfolist request.

Source: xen Severity: grave Tags: security Multiple vulnerabilities are unfixed in xen: CVE-2015-5307: http://xenbits.xen.org/xsa/advisory-156.html CVE-2016-3960 http://xenbits.xen.org/xsa/advisory-173.html CVE-2016-3159 / CVE-2016-3158 http://xenbits.xen.org/xsa/advisory-172.html CVE-2016-2271 http://xenbits.xen.org/xsa/advisory-170.html CVE-2016-2270

Source: xen Severity: grave Tags: security The following security issues are still open in 4.4.0-1: Xen Security Advisory CVE-2014-2599 / XSA-89 https://marc.info/?l=oss-security&m=139643934717922&w=2 Xen Security Advisory CVE-2014-3124 / XSA-92 https://marc.info/?l=oss-security&m=139894169729664&w=2 Xen Security Advisory CVE-2014-3967,CVE-2014-3968 / XSA-96

Dear Security Team, I have prepared a new upload addressing a number of open security issues in Xen. Due to the complexity of the patches that address XSA-273 [0] the packages have been built from upstream's staging-4.8 / staging-4.10 branch again as recommended in that advisory. Commits on those branches are restricted to those that address the following XSAs (cf. [1]): - XSA-273

Hello, Are XSA-289 and XSA-274/CVE-2018-14678 fixed with Xen recent 4.8, 4.10 and kernel 4.9.177 packages ? Thank you

Source: xen Severity: important Tags: security Please see http://xenbits.xen.org/xsa/advisory-125.html http://xenbits.xen.org/xsa/advisory-126.html http://xenbits.xen.org/xsa/advisory-127.html Cheers, Moritz

Xen 4.4.4 along with kernel 4.9.44 containing patches for XSAs (226 - 230) from August 15th are now available in centos-virt-testing. If possible, please test and provide feedback here so we can move these to release soon. XSA-228 did not affect Xen 4.4 XSA-229 only applies to the kernel XSA-235 disclosed today only affects ARM and isn't going to be added to these packages. Thanks. --

Source: xen Severity: important Tags: security Hi, please see http://xenbits.xen.org/xsa/advisory-116.html for details and a patch. Cheers, Moritz

It looks like no XSA-142 patch, which is "libxl fails to honour readonly flag on disks with qemu-xen" has been applied to Xen4CentOS. I assume this was on purpose? If not, I can have someone try adding the original patch from http://xenbits.xen.org/xsa/advisory-142.html and some variant of the commit from ef6cb76026628e26e3d1ae53c50ccde1c3c78b1b