similar to: Xen 4.6.3-3: Import XSA-190

On 02/17/2017 02:32 PM, Kevin Stange wrote: > Given the circumstances, might it make sense to offer formal advisories > of some type for these to indicate when the packages going to live are > for security or other reasons? > We release xen every 2nd (even numbered) release as a goal (4.4, 4.6, 4.8) We don't normally release anything other than security updates. This is a SIG

Given the circumstances, might it make sense to offer formal advisories of some type for these to indicate when the packages going to live are for security or other reasons? On 02/17/2017 09:51 AM, Johnny Hughes wrote: > These updates have now been pushed to mirror.centos.org and you can get > them from the main repos. > > On 02/15/2017 08:27 AM, Johnny Hughes wrote: >> There

I've got a first cut of the rebase here: git://github.com/gwd/sig-virt-xen out/update-4.4.1-rc1-ee81dda-RFC To build it, you'll need to download the polarssl tarball: http://xenbits.xen.org/xen-extfiles/polarssl-1.1.4-gpl.tgz And you'll need a tarball based on (unfortunately) a private tree, which you can find here: git://github.com/gwd/xen base/update-4.4.1-rc1-ee81dda-RFC This

Ian Jackson writes ("64bit PV guest breakout [XSA-213]"): > Source: xen > Version: 4.4.1-9 > Severity: important > Tags: security upstream fixed-upstream > > See > https://xenbits.xen.org/xsa/advisory-213.html Ian Jackson writes ("grant transfer allows PV guest to elevate privileges [XSA-214]"): > Source: xen > Version: 4.4.1-9 > Severity:

Hello Debian Xen team, I have two questions regarding Xen vulnerability CVE-2015-3456 / XSA-133 / "Venom" in Debian [1]: * I noticed that [1] says 4.4.1-9 not to be vulnerable ("fixed") but according to the Debian Changelog [2] 4.4.1-9 appeared in Debian before XSA-133 was published and xen_4.4.1-9.debian.tar.xz [3] does not seem to contain any XSA-133 patch.

Dear Security Team, I have prepared a new upload addressing a number of open security issues in Xen. Due to the complexity of the patches that address XSA-273 [0] the packages have been built from upstream's staging-4.8 / staging-4.10 branch again as recommended in that advisory. Commits on those branches are restricted to those that address the following XSAs (cf. [1]): - XSA-273

Source: xen Version: 4.8.1~pre.2017.01.23-1 Severity: grave Tags: security upstream Justification: user security hole Hi, the following vulnerability was published for xen. CVE-2017-7228[0]: | An issue (known as XSA-212) was discovered in Xen, with fixes available | for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix | introduced an insufficient check on XENMEM_exchange input,

I've built & tagged packages for CentOS 6 and 7 4.6.6-9, with XPTI "stage 1" Meltdown mitigation. This will allow 64-bit PV guests to run safely (with a few caveats), but incurs a fairly significant slowdown for 64-bit PV guests on Intel boxes (including domain 0). If you prefer using Vixen / Comet, you can turn it off by adding 'xpti=0' to your Xen command-line.

Source: xen Version: 4.4.1-9 Severity: normal Tags: security upstream patch fixed-upstream Hi, the following vulnerability was published for xen. CVE-2015-3340[0]: | Xen 4.2.x through 4.5.x does not initialize certain fields, which | allows certain remote service domains to obtain sensitive information | from memory via a (1) XEN_DOMCTL_gettscinfo or (2) | XEN_SYSCTL_getdomaininfolist request.

On Wed, Nov 18, 2015 at 1:31 PM, Pasi K?rkk?inen <pasik at iki.fi> wrote: > On Wed, Nov 18, 2015 at 02:20:49PM +0200, Manuel Wolfshant wrote: >> On 11/18/2015 02:08 PM, Pasi K?rkk?inen wrote: >> >Hello, >> > >> >On Sun, Nov 15, 2015 at 06:42:18PM +0200, Pasi K?rkk?inen wrote: >> >>On Sun, Nov 15, 2015 at 02:04:58PM +0200, Pasi K?rkk?inen wrote:

Source: xen Version: 4.17.0+24-g2f8851c37f-2 Severity: grave Tags: security upstream X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org> Hi, The following vulnerability was published for xen, filling with RC severity (for ideally fixed before bookworm release): CVE-2022-27672[0]: | When SMT is enabled, certain AMD processors may speculatively execute |

xen 4.6.1-5 has been build and should be available in buildlogs soon (available via the centos-virt-xen-testing repo). More information can be found here: http://xenbits.xen.org/xsa/advisory-172.html A signed copy should hit the mirrors tomorrow. Please report any problems on this list. Thanks, -George

To install the package: yum --enablerepo=virt-xen-VV-testing xen-vixen Where VV is '44', '46', or '48', depending on which version you're using. (It's the same package for all versions.) This will install the xen-vixen "shim" binary, as well as the pvshim-converter script. See XSA-254 [1] for detailed information about who should use it, why, and

On Thu, Nov 19, 2015 at 12:28 PM, George Dunlap <dunlapg at umich.edu> wrote: > On Wed, Nov 18, 2015 at 1:31 PM, Pasi K?rkk?inen <pasik at iki.fi> wrote: >> On Wed, Nov 18, 2015 at 02:20:49PM +0200, Manuel Wolfshant wrote: >>> On 11/18/2015 02:08 PM, Pasi K?rkk?inen wrote: >>> >Hello, >>> > >>> >On Sun, Nov 15, 2015 at 06:42:18PM

Thanks George. As there are now quite many options to choose from, what would be the best option performance wise for running 32bit domUs under xen-4.6? Best, Peter On Wed, Jan 17, 2018 at 7:14 PM, George Dunlap <dunlapg at umich.edu> wrote: > I've built & tagged packages for CentOS 6 and 7 4.6.6-9, with XPTI > "stage 1" Meltdown mitigation. > > This will

Folks, I am pleased to announce the release of Xen 4.1.4. This is available immediately from its mercurial repository: http://xenbits.xen.org/xen-4.1-testing.hg (tag RELEASE-4.1.4) This fixes the following critical vulnerabilities: * CVE-2012-3494 / XSA-12: hypercall set_debugreg vulnerability * CVE-2012-3495 / XSA-13: hypercall physdev_get_free_pirq vulnerability * CVE-2012-3496 /

It looks like no XSA-142 patch, which is "libxl fails to honour readonly flag on disks with qemu-xen" has been applied to Xen4CentOS. I assume this was on purpose? If not, I can have someone try adding the original patch from http://xenbits.xen.org/xsa/advisory-142.html and some variant of the commit from ef6cb76026628e26e3d1ae53c50ccde1c3c78b1b

I've got Xen 4.4.2 in virt6-testing. I haven't had a chance to test it, and won't for another week or two; but if some volunteers can put it through its paces, I can ask Johnny to push it to the public repo sometome early next week. Thanks, -George

Hey all, just a heads-up: XSA-162 [1] was released to the public this morning at 0600 UTC. It is, however, a bug in a non-default network card with a simple work-around (don't use that network card). Since there are a large number of updates due next week, and this is a fairly low-priority one, I decided not to do a package release specifically for it, and to include all the updates (through

(*Really* switching to my personal address not because I'm not doing work for Citrix, but because the corporate email is not working properly. Sigh. Also, email updated a bit.) Ian Jackson writes ("Re: Updated Xen packages for XSA 216..225"): > Ian Jackson writes ("Re: Updated Xen packages for XSA 216..225"): > > Hi. I was away and am now back. There are a lot