similar to: Are XSA-289, XSA-274/CVE-2018-14678 fixed ?

Looks like this never got a response from anyone. On 6/25/19 10:15 AM, Yuriy Kohut wrote: > Hello, > > Are XSA-289 and XSA-274/CVE-2018-14678 fixed with Xen recent 4.8, 4.10 and kernel 4.9.177 packages ? XSA-289 is a tricky subject. In the end, it was effectively decided that these patches were not recommended until they were reviewed again and XSA-289 has no official list of flaws

Xen 4.4.4 along with kernel 4.9.44 containing patches for XSAs (226 - 230) from August 15th are now available in centos-virt-testing. If possible, please test and provide feedback here so we can move these to release soon. XSA-228 did not affect Xen 4.4 XSA-229 only applies to the kernel XSA-235 disclosed today only affects ARM and isn't going to be added to these packages. Thanks. --

There are xen rpms in the testing repos for XSA 207 and 208 in the testing repos (xen-4.4.4-18.el6, xen-4.6.3-7.el6, xen-4.6.3-7.el7). You can enable the applicable centos-virt-xen-testing repo in your /etc/yum.repos.d/CentOS-Xen.repo file. Please report positive and negative tests to this list so we can promote the updates to the main repos. Thanks, Johnny Hughes -------------- next part

Kevin has been rolling back the security updates to the 4.4 branch. He has been working with some of the other distros (debian for sure, and some others on the xen security list). I think it is his intention to continue this for as long as he is able to. (Kevin, chime in if you have a schedule lifetime or EOL in mind) As long as Kevin (or anyone else) maintains the tree, I am happy to build

Hi, that kernel fix will be released on 6.x repo also ? I see it only on 7.x repo kernel-4.9.31-27.el7.x86_64.rpm thanks On 20/06/2017 20:15, Sarah Newman wrote: > On 06/20/2017 05:06 AM, George Dunlap wrote: >> Xen 4.6.3-15 packages for CentOS 6 and CentOS 7 are on their way >> through the build system. They should show up in centos-virt-testing >> in a few hours, and

Hi folks, Firstly; apologies in advance for what is a head wrecker of keeping on top of the speculative mitigations and also if this is a duplicate email; my first copy didn't seem to make it into the archive. Also a disclaimer that I may have misunderstood elements of the below but please bear with me. I write this hoping to find out a bit more about the state of the relevant kernel

Given the circumstances, might it make sense to offer formal advisories of some type for these to indicate when the packages going to live are for security or other reasons? On 02/17/2017 09:51 AM, Johnny Hughes wrote: > These updates have now been pushed to mirror.centos.org and you can get > them from the main repos. > > On 02/15/2017 08:27 AM, Johnny Hughes wrote: >> There

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > On Thu, May 04, 2017 at 05:06:07PM +0100, Ian Jackson wrote: > > I have fixed these in stretch but the jessie package remains unfixed. > > I think I may be able to find some backports somewhere. Would that be > > useful ? Is anyone else working on this ? > >

On 03/16/2017 04:22 PM, Kevin Stange wrote: >> I still can't rest assured the NIC issue is fixed, but no 4.4 or 4.9 >> server has yet had a NIC issue, with some being up almost a full month. >> It looks promising! (I'm knocking on all the wood everywhere, though.) > > I'm ready to call this conclusive. The problems I was having across the > board seemed to

On Tue, Jan 23, 2018 at 4:50 PM, Nathan March <nathan at gt.net> wrote: > Hi, > > > Hmm.. isn't this the ldisc bug that was discussed a few months ago on > this > list, > > and a patch was applied to virt-sig kernel aswell? > > > > Call trace looks similar.. > > Good memory! I'd forgotten about that despite being the one who ran into >

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > Yes, the distribution line should be jessie-security, but please send > a debdiff to team at security.debian.org for a quick review before > uploading (I have no idea whether dgit supports security-master). Here is the proposed debdiff (actually, a git diff) for xen in jessie. My

On 03/21/2017 07:48 AM, PJ Welsh wrote: > On Mon, Mar 20, 2017 at 5:21 PM, Ricardo J. Barberis > <ricardo at palmtx.com.ar <mailto:ricardo at palmtx.com.ar>> wrote: > > El Lunes 20/03/2017, PJ Welsh escribi?: > > Still just starts the kernel and wihtin 4 seconds reboots with 4.9.16-24. > > Thanks > > PJ > > Edit grub's entry

Hi, I am very sorry to do this on short notice, but obviously Meltdown and Spectre are a lot more than anyone was really expecting to come down the pipeline. Xen 4.4 has been EOL upstream for about a year now and I have personally been reviewing and backporting patches based on the 4.5 versions made available upstream. Given that 4.5 is now also reaching EOL, backporting to 4.4 will become

On 02/21/2017 11:47 AM, Johnny Hughes wrote: > On 01/23/2017 11:04 AM, Kevin Stange wrote: >> I have three different types of CentOS 6 Xen 4.4 based hypervisors (by >> hardware) that are experiencing stability issues which I haven't been >> able to track down. All three types seem to be having issues with NIC >> and/or PCIe. In most cases, the issues are

Ian Jackson writes ("64bit PV guest breakout [XSA-213]"): > Source: xen > Version: 4.4.1-9 > Severity: important > Tags: security upstream fixed-upstream > > See > https://xenbits.xen.org/xsa/advisory-213.html Ian Jackson writes ("grant transfer allows PV guest to elevate privileges [XSA-214]"): > Source: xen > Version: 4.4.1-9 > Severity:

On Tue, Jan 24, 2017 at 09:29:39PM +0800, -=X.L.O.R.D=- wrote: > Kevin Stange, > It can be either kernel or update the NIC driver or firmware of the NIC > card. Hope that helps! > > Xlord > -----Original Message----- > From: CentOS-virt [mailto:centos-virt-bounces at centos.org] On Behalf Of Kevin > Stange > Sent: Tuesday, January 24, 2017 1:04 AM > To: centos-virt

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > On Thu, May 04, 2017 at 05:59:18PM +0100, Ian Jackson wrote: > > Should I put jessie-security in the debian/changelog and dgit push it > > (ie, from many people's pov, dput it) ? > > Yes, the distribution line should be jessie-security, but please send > a

Dear Security Team, I have prepared a new upload addressing a number of open security issues in Xen. Due to the complexity of the patches that address XSA-273 [0] the packages have been built from upstream's staging-4.8 / staging-4.10 branch again as recommended in that advisory. Commits on those branches are restricted to those that address the following XSAs (cf. [1]): - XSA-273

Moritz M?hlenhoff writes ("Re: Updated Xen packages for XSA 216..225"): > Since the queue was already quite big and this update was ready > I went ahead and released what we had for now. Yes, sorry, I should have been explicit that that's what I expected you to do... Ian.

On 01/27/2017 06:08 AM, Karel Hendrych wrote: > Have you tried to eliminate all power management features all over? I've been trying to find and disable all power management features but having relatively little luck with that solving the problems. Stabbing the the dark I've tried different ACPI settings, including completely disabling it, disabling CPU frequency scaling, and setting