similar to: OT?: NetBSD domU on linux dom0 (XSA-240?)

Hi list, Jeff and FastIce pointed out a regression between Xen 4.1.2 and 4.1.6 when starting NetBSD domU; the kernel syms table gets slightly corrupted [1]. After dwelling into libxc code, FastIce noticed that changing back the return value to "ptr + offset" (instead of just "ptr") for xc_dom_vaddr_to_ptr() makes it work again. According to [2] while fixing XSA-55, Ian

We just sent the message below to the security advisory predisclosure list, relating to the release of XSA-26 to XSA-32. As you will see, these have now been publicly released. We''ll have a proper conversation about this in a week or two. Thanks for your attention, Ian. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We regret to announce that a member of the predisclosure list

Looks like this never got a response from anyone. On 6/25/19 10:15 AM, Yuriy Kohut wrote: > Hello, > > Are XSA-289 and XSA-274/CVE-2018-14678 fixed with Xen recent 4.8, 4.10 and kernel 4.9.177 packages ? XSA-289 is a tricky subject. In the end, it was effectively decided that these patches were not recommended until they were reviewed again and XSA-289 has no official list of flaws

Ian Jackson writes ("64bit PV guest breakout [XSA-213]"): > Source: xen > Version: 4.4.1-9 > Severity: important > Tags: security upstream fixed-upstream > > See > https://xenbits.xen.org/xsa/advisory-213.html Ian Jackson writes ("grant transfer allows PV guest to elevate privileges [XSA-214]"): > Source: xen > Version: 4.4.1-9 > Severity:

On 02/17/2017 02:32 PM, Kevin Stange wrote: > Given the circumstances, might it make sense to offer formal advisories > of some type for these to indicate when the packages going to live are > for security or other reasons? > We release xen every 2nd (even numbered) release as a goal (4.4, 4.6, 4.8) We don't normally release anything other than security updates. This is a SIG

On 11/28/2017 10:11 AM, Johnny Hughes wrote: > Kevin has been rolling back the security updates to the 4.4 branch. He > has been working with some of the other distros (debian for sure, and > some others on the xen security list). > > I think it is his intention to continue this for as long as he is able > to. (Kevin, chime in if you have a schedule lifetime or EOL in mind)

Dear Security Team, I have prepared a new upload addressing a number of open security issues in Xen. Due to the complexity of the patches that address XSA-273 [0] the packages have been built from upstream's staging-4.8 / staging-4.10 branch again as recommended in that advisory. Commits on those branches are restricted to those that address the following XSAs (cf. [1]): - XSA-273

Hello Debian Xen team, I have two questions regarding Xen vulnerability CVE-2015-3456 / XSA-133 / "Venom" in Debian [1]: * I noticed that [1] says 4.4.1-9 not to be vulnerable ("fixed") but according to the Debian Changelog [2] 4.4.1-9 appeared in Debian before XSA-133 was published and xen_4.4.1-9.debian.tar.xz [3] does not seem to contain any XSA-133 patch.

Hello, Are XSA-289 and XSA-274/CVE-2018-14678 fixed with Xen recent 4.8, 4.10 and kernel 4.9.177 packages ? Thank you

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > On Thu, May 04, 2017 at 05:59:18PM +0100, Ian Jackson wrote: > > Should I put jessie-security in the debian/changelog and dgit push it > > (ie, from many people's pov, dput it) ? > > Yes, the distribution line should be jessie-security, but please send > a

Salvatore Bonaccorso writes ("Re: Updated Xen packages for XSA 216..225"): > On Tue, Jul 11, 2017 at 11:34:38PM +0200, Moritz Muehlenhoff wrote: > > On Mon, Jul 03, 2017 at 12:33:54PM +0100, Ian Jackson wrote: > > > Moritz M?hlenhoff writes ("Re: Updated Xen packages for XSA 216..225"): > > > > Sorry for the late reply, was on vacation for a week.

It looks like no XSA-142 patch, which is "libxl fails to honour readonly flag on disks with qemu-xen" has been applied to Xen4CentOS. I assume this was on purpose? If not, I can have someone try adding the original patch from http://xenbits.xen.org/xsa/advisory-142.html and some variant of the commit from ef6cb76026628e26e3d1ae53c50ccde1c3c78b1b

On Mon, Aug 07, 2017 at 01:15:56PM +0200, Moritz Muehlenhoff wrote: > On Mon, Jul 17, 2017 at 03:58:20PM +0100, Ian Jackson wrote: > > Salvatore Bonaccorso writes ("Re: Updated Xen packages for XSA 216..225"): > > > On Tue, Jul 11, 2017 at 11:34:38PM +0200, Moritz Muehlenhoff wrote: > > > > On Mon, Jul 03, 2017 at 12:33:54PM +0100, Ian Jackson wrote: >

Xen 4.4.4 along with kernel 4.9.44 containing patches for XSAs (226 - 230) from August 15th are now available in centos-virt-testing. If possible, please test and provide feedback here so we can move these to release soon. XSA-228 did not affect Xen 4.4 XSA-229 only applies to the kernel XSA-235 disclosed today only affects ARM and isn't going to be added to these packages. Thanks. --

Hey all, just a heads-up: XSA-162 [1] was released to the public this morning at 0600 UTC. It is, however, a bug in a non-default network card with a simple work-around (don't use that network card). Since there are a large number of updates due next week, and this is a fairly low-priority one, I decided not to do a package release specifically for it, and to include all the updates (through

Hi all, Sorry for running a bit behind on security patch releases for the Xen-44 branch. As of yesterday, package version 4.4.4-28 was released for testing, which includes all relevant XSA patches through XSA-235 here: https://buildlogs.centos.org/centos/6/virt/x86_64/xen-44/ Please test and provide feedback if possible so we can get this package moved to release fairly soon. Currently in the

Hi, On Wed, Aug 23, 2017 at 04:02:46PM -0500, Kevin Stange wrote: > Xen 4.4.4 along with kernel 4.9.44 containing patches for XSAs (226 - > 230) from August 15th are now available in centos-virt-testing. If > possible, please test and provide feedback here so we can move these to > release soon. > > XSA-228 did not affect Xen 4.4 > XSA-229 only applies to the kernel >

(*Really* switching to my personal address not because I'm not doing work for Citrix, but because the corporate email is not working properly. Sigh. Also, email updated a bit.) Ian Jackson writes ("Re: Updated Xen packages for XSA 216..225"): > Ian Jackson writes ("Re: Updated Xen packages for XSA 216..225"): > > Hi. I was away and am now back. There are a lot

Hi, I am using xen 3.1.3 on a Celeron, a netbsd 4.0 dom0, and netbsd 4.0 and slackware 11 (with 2.6.18.8-xen kernel) domU''s, and a bridge to communicate between those. I noticed traffic between (both ways) netbsd dom0/domU is rather slow (4Mb/s max), and traffic from the linux domU to dom0 is about 18Mb/s, while traffic from dom0 to the linux domU is rather slow again (4Mb/s max). Any

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > Yes, the distribution line should be jessie-security, but please send > a debdiff to team at security.debian.org for a quick review before > uploading (I have no idea whether dgit supports security-master). Here is the proposed debdiff (actually, a git diff) for xen in jessie. My