similar to: No separate XSA-162 package

I've got a first cut of the rebase here: git://github.com/gwd/sig-virt-xen out/update-4.4.1-rc1-ee81dda-RFC To build it, you'll need to download the polarssl tarball: http://xenbits.xen.org/xen-extfiles/polarssl-1.1.4-gpl.tgz And you'll need a tarball based on (unfortunately) a private tree, which you can find here: git://github.com/gwd/xen base/update-4.4.1-rc1-ee81dda-RFC This

On 02/17/2017 02:32 PM, Kevin Stange wrote: > Given the circumstances, might it make sense to offer formal advisories > of some type for these to indicate when the packages going to live are > for security or other reasons? > We release xen every 2nd (even numbered) release as a goal (4.4, 4.6, 4.8) We don't normally release anything other than security updates. This is a SIG

On Wed, Feb 17, 2016 at 12:30 PM, George Dunlap <dunlapg at umich.edu> wrote: > I have the following packages going through the CBS: > * A CentOS 7 xen-4.6.1-2, with XSAs 170 and 154 > * A CentOS 6 xen-4.6.1-2, with XSAs 170 and 154 > * A CentOS 6 xen-4.4.3-11, with XSAs 170 > > All these should show up in mirrors hopefully sometime later today. > As usual, please report

I've built & tagged packages for CentOS 6 and 7 4.6.6-9, with XPTI "stage 1" Meltdown mitigation. This will allow 64-bit PV guests to run safely (with a few caveats), but incurs a fairly significant slowdown for 64-bit PV guests on Intel boxes (including domain 0). If you prefer using Vixen / Comet, you can turn it off by adding 'xpti=0' to your Xen command-line.

On Thu, Nov 19, 2015 at 12:28 PM, George Dunlap <dunlapg at umich.edu> wrote: > On Wed, Nov 18, 2015 at 1:31 PM, Pasi K?rkk?inen <pasik at iki.fi> wrote: >> On Wed, Nov 18, 2015 at 02:20:49PM +0200, Manuel Wolfshant wrote: >>> On 11/18/2015 02:08 PM, Pasi K?rkk?inen wrote: >>> >Hello, >>> > >>> >On Sun, Nov 15, 2015 at 06:42:18PM

Thanks George. As there are now quite many options to choose from, what would be the best option performance wise for running 32bit domUs under xen-4.6? Best, Peter On Wed, Jan 17, 2018 at 7:14 PM, George Dunlap <dunlapg at umich.edu> wrote: > I've built & tagged packages for CentOS 6 and 7 4.6.6-9, with XPTI > "stage 1" Meltdown mitigation. > > This will

xen 4.6.1-5 has been build and should be available in buildlogs soon (available via the centos-virt-xen-testing repo). More information can be found here: http://xenbits.xen.org/xsa/advisory-172.html A signed copy should hit the mirrors tomorrow. Please report any problems on this list. Thanks, -George

To install the package: yum --enablerepo=virt-xen-VV-testing xen-vixen Where VV is '44', '46', or '48', depending on which version you're using. (It's the same package for all versions.) This will install the xen-vixen "shim" binary, as well as the pvshim-converter script. See XSA-254 [1] for detailed information about who should use it, why, and

On Wed, Nov 18, 2015 at 1:31 PM, Pasi K?rkk?inen <pasik at iki.fi> wrote: > On Wed, Nov 18, 2015 at 02:20:49PM +0200, Manuel Wolfshant wrote: >> On 11/18/2015 02:08 PM, Pasi K?rkk?inen wrote: >> >Hello, >> > >> >On Sun, Nov 15, 2015 at 06:42:18PM +0200, Pasi K?rkk?inen wrote: >> >>On Sun, Nov 15, 2015 at 02:04:58PM +0200, Pasi K?rkk?inen wrote:

Ian Jackson writes ("64bit PV guest breakout [XSA-213]"): > Source: xen > Version: 4.4.1-9 > Severity: important > Tags: security upstream fixed-upstream > > See > https://xenbits.xen.org/xsa/advisory-213.html Ian Jackson writes ("grant transfer allows PV guest to elevate privileges [XSA-214]"): > Source: xen > Version: 4.4.1-9 > Severity:

Dear Security Team, I have prepared a new upload addressing a number of open security issues in Xen. Due to the complexity of the patches that address XSA-273 [0] the packages have been built from upstream's staging-4.8 / staging-4.10 branch again as recommended in that advisory. Commits on those branches are restricted to those that address the following XSAs (cf. [1]): - XSA-273

I've got Xen 4.4.2 in virt6-testing. I haven't had a chance to test it, and won't for another week or two; but if some volunteers can put it through its paces, I can ask Johnny to push it to the public repo sometome early next week. Thanks, -George

It looks like no XSA-142 patch, which is "libxl fails to honour readonly flag on disks with qemu-xen" has been applied to Xen4CentOS. I assume this was on purpose? If not, I can have someone try adding the original patch from http://xenbits.xen.org/xsa/advisory-142.html and some variant of the commit from ef6cb76026628e26e3d1ae53c50ccde1c3c78b1b

The Xen Project has publicly released XSA-138: http://xenbits.xen.org/xsa/advisory-138.html All users using HVM (fully virtualized) guests with emulated CDROM drives are advised to upgrade. There are signed versions of Xen4CentOS6 packages uploaded to the mirror system. There are also unsigned packages available on the CBS: http://cbs.centos.org/repos/virt6-testing/x86_64/os/Packages/

George has built and I have pushed to virt6-xen-common-testing and virt7-xen-common-testing the kernel-3.18.25-19 kernel. Please test this kernel and we can release it. It also has the fix for XSA-171: http://xenbits.xen.org/xsa/advisory-171.html Thanks, Johnny Hughes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type:

Xen 4.6.3-3 packages, with XSA-190, are currently making their way through the build system. The vulnerability is an intra-guest information leak (i.e., between different processes in the same VM). More information here: https://xenbits.xen.org/xsa/advisory-190.html -George

On Thu, Nov 12, 2015 at 2:03 PM, Manuel Wolfshant <wolfy at nobugconsulting.ro> wrote: > On 11/12/2015 04:00 PM, George Dunlap wrote: >> >> To update to the new repository structure, install the >> centos-release-xen package directly from the new repo: >> >> yum >>

Hello Debian Xen team, I have two questions regarding Xen vulnerability CVE-2015-3456 / XSA-133 / "Venom" in Debian [1]: * I noticed that [1] says 4.4.1-9 not to be vulnerable ("fixed") but according to the Debian Changelog [2] 4.4.1-9 appeared in Debian before XSA-133 was published and xen_4.4.1-9.debian.tar.xz [3] does not seem to contain any XSA-133 patch.

On Thu, Apr 23, 2015 at 5:09 PM, George Dunlap <dunlapg at umich.edu> wrote: > I've got Xen 4.4.2 in virt6-testing. I haven't had a chance to test > it, and won't for another week or two; but if some volunteers can put > it through its paces, I can ask Johnny to push it to the public repo > sometome early next week. Unless there are any objections, I'll ask for

(*Really* switching to my personal address not because I'm not doing work for Citrix, but because the corporate email is not working properly. Sigh. Also, email updated a bit.) Ian Jackson writes ("Re: Updated Xen packages for XSA 216..225"): > Ian Jackson writes ("Re: Updated Xen packages for XSA 216..225"): > > Hi. I was away and am now back. There are a lot