Hi Everyone, I note that Xen 3.4.4 has been released http://blog.xen.org/index.php/2012/01/27/xen-3-4-4-update-release/ There is something that I am confused about though. In the release announcement, it mentions one of the features of the update being: " Security enhancements includingCVE-2011-1583 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1583>" However, the aforementioned CVE seems to only apply to other versions of Xen (3.4.x is missing in the list of venerable software) While I''m obviously happy that the latest release is free of this bug, can someone please shed some light on how this bug was fixed in 3.4.4, when it wasn''t supposed to be present in the first place in 3.4.3? Also, what other security-related bugs have been fixed? It there a list somewhere? I think it''s great that there are members out there willing to maintain the 3.4.x branch. It''s very stable. Good job folks! Cheers _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
On Mon, 2012-02-27 at 12:00 +0000, Jonathan Tripathy wrote:> " Security enhancements including CVE-2011-1583" > > However, the aforementioned CVE seems to only apply to other versions > of Xen (3.4.x is missing in the list of venerable software) > > While I''m obviously happy that the latest release is free of this bug, > can someone please shed some light on how this bug was fixed in 3.4.4, > when it wasn''t supposed to be present in the first place in 3.4.3?Given that 3.3 and 4.0 were vulnerable I think this is simply a case of 3.4 being accidentally omitted from the list. Ian.
On 27/02/2012 12:08, Ian Campbell wrote:> On Mon, 2012-02-27 at 12:00 +0000, Jonathan Tripathy wrote: >> " Security enhancements including CVE-2011-1583" >> >> However, the aforementioned CVE seems to only apply to other versions >> of Xen (3.4.x is missing in the list of venerable software) >> >> While I''m obviously happy that the latest release is free of this bug, >> can someone please shed some light on how this bug was fixed in 3.4.4, >> when it wasn''t supposed to be present in the first place in 3.4.3? > Given that 3.3 and 4.0 were vulnerable I think this is simply a case of > 3.4 being accidentally omitted from the list. > > Ian. > >Thanks for the reply, Ian. Any ideas on what other security issues were fixed? Thanks