similar to: Updated Xen packages for XSA 216..225

Moritz M?hlenhoff writes ("Re: Updated Xen packages for XSA 216..225"): > Sorry for the late reply. The updates look fine and I've written > up an advisory text. > > I don't use Xen myself and don't have a test setup. Have these > been tested on a jessie/stretch system already or shall we pass > these to users who've volunteered for tests in the past?

On Mon, Aug 07, 2017 at 01:15:56PM +0200, Moritz Muehlenhoff wrote: > On Mon, Jul 17, 2017 at 03:58:20PM +0100, Ian Jackson wrote: > > Salvatore Bonaccorso writes ("Re: Updated Xen packages for XSA 216..225"): > > > On Tue, Jul 11, 2017 at 11:34:38PM +0200, Moritz Muehlenhoff wrote: > > > > On Mon, Jul 03, 2017 at 12:33:54PM +0100, Ian Jackson wrote: >

Salvatore Bonaccorso writes ("Re: Updated Xen packages for XSA 216..225"): > On Tue, Jul 11, 2017 at 11:34:38PM +0200, Moritz Muehlenhoff wrote: > > On Mon, Jul 03, 2017 at 12:33:54PM +0100, Ian Jackson wrote: > > > Moritz M?hlenhoff writes ("Re: Updated Xen packages for XSA 216..225"): > > > > Sorry for the late reply, was on vacation for a week.

Moritz M?hlenhoff writes ("Re: Updated Xen packages for XSA 216..225"): > Since the queue was already quite big and this update was ready > I went ahead and released what we had for now. Yes, sorry, I should have been explicit that that's what I expected you to do... Ian.

On Mon, Jul 03, 2017 at 12:33:54PM +0100, Ian Jackson wrote: > Moritz M?hlenhoff writes ("Re: Updated Xen packages for XSA 216..225"): > > Sorry for the late reply, was on vacation for a week. What's the status > > of jessie? Most of the XSAs seem to affect oldstable as well. > > Sorry, I forgot about them... > > I will see what I can do. Did you look

On Tue, Jun 20, 2017 at 02:06:17PM +0100, Ian Jackson wrote: > Ian Jackson writes ("Updated Xen packages for XSA 216..225"): > > FYI I will have an upload ready RSN. Where should I send it ? > > > > Matthew Vernon has offered to test my amd64 binaries. I will test the > > i386 packages myself. > > In fact, I have built and tested amd64 binaries.

We just sent the message below to the security advisory predisclosure list, relating to the release of XSA-26 to XSA-32. As you will see, these have now been publicly released. We''ll have a proper conversation about this in a week or two. Thanks for your attention, Ian. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We regret to announce that a member of the predisclosure list

xen-4.4.2-2, available from the virt6-testing repository, includes the fix for this issue. Note that Xen actually does attempt to disable the floppy disk for HVM domains by default, but due to a bug in qemu, the floppy disk only partially disabled; enough functionality to exploit this bug remains. This should be available from the normal xen4 repositories sometime this afternoon. -George

Package: xen-hypervisor-4.1-amd64 Version: 4.1.4-3+deb7u4 Severity: critical Hi, Not sure how come I'm the first one to file this kind of a bug report :) but here goes JFTR... http://xenbits.xen.org/xsa/advisory-123.html was embargoed, but advance warning was given to several big Xen VM farms, which led to e.g. https://aws.amazon.com/premiumsupport/maintenance-2015-03/

FYI I will have an upload ready RSN. Where should I send it ? Matthew Vernon has offered to test my amd64 binaries. I will test the i386 packages myself. Ian.

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > Yes, the distribution line should be jessie-security, but please send > a debdiff to team at security.debian.org for a quick review before > uploading (I have no idea whether dgit supports security-master). Here is the proposed debdiff (actually, a git diff) for xen in jessie. My

Looks like this never got a response from anyone. On 6/25/19 10:15 AM, Yuriy Kohut wrote: > Hello, > > Are XSA-289 and XSA-274/CVE-2018-14678 fixed with Xen recent 4.8, 4.10 and kernel 4.9.177 packages ? XSA-289 is a tricky subject. In the end, it was effectively decided that these patches were not recommended until they were reviewed again and XSA-289 has no official list of flaws

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-6885 / XSA-82 version 3 Guest triggerable AMD CPU erratum may cause host hang UPDATES IN VERSION 3 ==================== Early public release. This issue was predisclosed under embargo by the Xen Project Security team, on the 27th of November. We treated the issue

Ian Jackson writes ("64bit PV guest breakout [XSA-213]"): > Source: xen > Version: 4.4.1-9 > Severity: important > Tags: security upstream fixed-upstream > > See > https://xenbits.xen.org/xsa/advisory-213.html Ian Jackson writes ("grant transfer allows PV guest to elevate privileges [XSA-214]"): > Source: xen > Version: 4.4.1-9 > Severity:

On 02/17/2017 02:32 PM, Kevin Stange wrote: > Given the circumstances, might it make sense to offer formal advisories > of some type for these to indicate when the packages going to live are > for security or other reasons? > We release xen every 2nd (even numbered) release as a goal (4.4, 4.6, 4.8) We don't normally release anything other than security updates. This is a SIG

On 11/28/2017 10:11 AM, Johnny Hughes wrote: > Kevin has been rolling back the security updates to the 4.4 branch. He > has been working with some of the other distros (debian for sure, and > some others on the xen security list). > > I think it is his intention to continue this for as long as he is able > to. (Kevin, chime in if you have a schedule lifetime or EOL in mind)

Dear Security Team, I have prepared a new upload addressing a number of open security issues in Xen. Due to the complexity of the patches that address XSA-273 [0] the packages have been built from upstream's staging-4.8 / staging-4.10 branch again as recommended in that advisory. Commits on those branches are restricted to those that address the following XSAs (cf. [1]): - XSA-273

Hello Debian Xen team, I have two questions regarding Xen vulnerability CVE-2015-3456 / XSA-133 / "Venom" in Debian [1]: * I noticed that [1] says 4.4.1-9 not to be vulnerable ("fixed") but according to the Debian Changelog [2] 4.4.1-9 appeared in Debian before XSA-133 was published and xen_4.4.1-9.debian.tar.xz [3] does not seem to contain any XSA-133 patch.

Hello, Are XSA-289 and XSA-274/CVE-2018-14678 fixed with Xen recent 4.8, 4.10 and kernel 4.9.177 packages ? Thank you

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > On Thu, May 04, 2017 at 05:59:18PM +0100, Ian Jackson wrote: > > Should I put jessie-security in the debian/changelog and dgit push it > > (ie, from many people's pov, dput it) ? > > Yes, the distribution line should be jessie-security, but please send > a