Hi Keith,
CC: Xen-devel Mailing List
I''ve noticed that you seem to be a major contributor with regards to
keeping the 3.4.x branch updated with backported security patches. As
Xen security is a high priority, I hope you don''t mind me discussing
with you whether some CVEs are backported or not. I really appreciate
your time to read this email. Of course, the rest of the list can chime
in as always!
CVE-2011-2901:
http://www.openwall.com/lists/oss-security/2011/09/02/2
The patch performs the following:
- (((unsigned long)(addr)< (1UL<<48)) || \
+ (((unsigned long)(addr)< (1UL<<47)) || \
I see that the Xen security advisory says that only hypervisors 3.3 or
earlier are affected. However, I note that in later versions of Xen, the
line changed in the patch remains untouched. Any ideas why this is the
case? Additionally, Redhat in their advisories claim to fix this issue
in their kernel update. How can this be, given that this is a Xen
hypervisor issue?
CVE-2011-1898
http://old-list-archives.xen.org/archives/html/xen-devel/2011-05/msg00687.html
Any idea when this can be backported to 3.4.x? I see that this has made
it to 4.1-testing stable branch
****CVE-2012-0029**
http://seclists.org/oss-sec/2012/q1/360
Maybe this is currently impossible to get going on the 3.4.x branch as
the upstream qemu trees don''t have a 3.4.x Xen patch for this?
*CVE-2011-1166*
https://bugzilla.redhat.com/show_bug.cgi?id=688579
http://xenbits.xen.org/hg/staging/xen-unstable.hg/rev/c79aae866ad8
Again, this doesn''t appear to be backported to 3.4.x, however I note
that Red Hat claim to have fixed this in their kernel version. This is
where I get confused again. How can a hypervisor issue be fixed in the
kernel??
Once again, I really appreciate your time, and I''m very sorry if
I''m
wasting it!
Thanks,
Jonathan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
On Wed, Feb 29, 2012 at 6:36 AM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> CVE-2011-1166 > https://bugzilla.redhat.com/show_bug.cgi?id=688579 > http://xenbits.xen.org/hg/staging/xen-unstable.hg/rev/c79aae866ad8 > > Again, this doesn''t appear to be backported to 3.4.x, however I note that > Red Hat claim to have fixed this in their kernel version. This is where I > get confused again. How can a hypervisor issue be fixed in the kernel??Redhat bundles the hypervisor (xen.gz) as part of their kernel-xen rpm, while xen rpm only contains the userland part. So if you have three different versions of kernel-xen rpm installed, you''d have three versions of hypervisors. -- Fajar
On 28/02/2012 23:47, Fajar A. Nugraha wrote:> On Wed, Feb 29, 2012 at 6:36 AM, Jonathan Tripathy<jonnyt@abpni.co.uk> wrote: >> CVE-2011-1166 >> https://bugzilla.redhat.com/show_bug.cgi?id=688579 >> http://xenbits.xen.org/hg/staging/xen-unstable.hg/rev/c79aae866ad8 >> >> Again, this doesn''t appear to be backported to 3.4.x, however I note that >> Red Hat claim to have fixed this in their kernel version. This is where I >> get confused again. How can a hypervisor issue be fixed in the kernel?? > Redhat bundles the hypervisor (xen.gz) as part of their kernel-xen > rpm, while xen rpm only contains the userland part. So if you have > three different versions of kernel-xen rpm installed, you''d have three > versions of hypervisors.Interesting! What we currently do is use CentOS''s kernel-xen purely for the Linux Kernel, however we use the xen.gz (3.4.x) image from GitCo. Is this bad? It''s been a very stable combination for us. I take it this means, for my security concerns, that I have to rely on what has been backported to the 3.4.x branch in xenbits, as I''m not using Red Hat''s backports? Sorry that I''m a bit confused here
On Wed, Feb 29, 2012 at 6:51 AM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> > On 28/02/2012 23:47, Fajar A. Nugraha wrote: >> >> On Wed, Feb 29, 2012 at 6:36 AM, Jonathan Tripathy<jonnyt@abpni.co.uk> >> wrote: >>> >>> CVE-2011-1166 >>> https://bugzilla.redhat.com/show_bug.cgi?id=688579 >>> http://xenbits.xen.org/hg/staging/xen-unstable.hg/rev/c79aae866ad8 >>> >>> Again, this doesn''t appear to be backported to 3.4.x, however I note that >>> Red Hat claim to have fixed this in their kernel version. This is where I >>> get confused again. How can a hypervisor issue be fixed in the kernel?? >> >> Redhat bundles the hypervisor (xen.gz) as part of their kernel-xen >> rpm, while xen rpm only contains the userland part. So if you have >> three different versions of kernel-xen rpm installed, you''d have three >> versions of hypervisors. > > Interesting! > > What we currently do is use CentOS''s kernel-xen purely for the Linux Kernel, > however we use the xen.gz (3.4.x) image from GitCo. Is this bad?It depends :)> It''s been a > very stable combination for us. > > I take it this means, for my security concerns, that I have to rely on what > has been backported to the 3.4.x branch in xenbits, as I''m not using Red > Hat''s backports?You could take a look at what redhat has done, and see if you can integrate the patches into Gitco''s RPM. If you only use block device backend (i.e. phy:/), it might be easier to just switch to xen-4.1.2 + latest upstream kernel (e.g. using kernel-ml 3.x rpm from elrpo.org). That way you can easily apply latest security patches yourself, without having to backport it. -- Fajar
On Tue, 2012-02-28 at 23:36 +0000, Jonathan Tripathy wrote:> Hi Keith,On a related note it would be very useful if http://wiki.xen.org/wiki/Security_Announcements could be updated when security fixes corresponding to Xen.org security vulnerability disclosures are added to the 3.4 branch. Keith, can you do that? If not then if you drop me a line each time I''ll take care of it for you.> CVE-2011-2901: > http://www.openwall.com/lists/oss-security/2011/09/02/2 > > The patch performs the following: > - (((unsigned long)(addr) < (1UL<<48)) || \ > + (((unsigned long)(addr) < (1UL<<47)) || \ > > I see that the Xen security advisory says that only hypervisors 3.3 or > earlier are affected. However, I note that in later versions of Xen, > the line changed in the patch remains untouched. Any ideas why this is > the case?The problem has been fixed in xen-unstable. However only 3.3 and earlier were actually vulnerable due to the issue and so it has not been backported the stable branches. [...] I''ve left the others for Keith to comment on as 3.4 maintainer. Ian
On Wed, Feb 29, 2012 at 4:53 AM, Ian Campbell <Ian.Campbell@citrix.com> wrote:> On Tue, 2012-02-28 at 23:36 +0000, Jonathan Tripathy wrote: >> Hi Keith,Jonathan, Thank you for bringing up these issues. I will resolve them.> > On a related note it would be very useful if > http://wiki.xen.org/wiki/Security_Announcements could be updated when > security fixes corresponding to Xen.org security vulnerability > disclosures are added to the 3.4 branch. Keith, can you do that? If not > then if you drop me a line each time I''ll take care of it for you. >Certainly! -- Keith Coleman
On 01/03/2012 11:40, Keith Coleman wrote:> On Wed, Feb 29, 2012 at 4:53 AM, Ian Campbell<Ian.Campbell@citrix.com> wrote: >> On Tue, 2012-02-28 at 23:36 +0000, Jonathan Tripathy wrote: >>> Hi Keith, > Jonathan, > > Thank you for bringing up these issues. I will resolve them. > >> On a related note it would be very useful if >> http://wiki.xen.org/wiki/Security_Announcements could be updated when >> security fixes corresponding to Xen.org security vulnerability >> disclosures are added to the 3.4 branch. Keith, can you do that? If not >> then if you drop me a line each time I''ll take care of it for you. >> > Certainly! > > > -- > Keith Coleman > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-develHi Keith, Is there any update regarding the issue of backporting a few patches, as per my post from February? The CVEs in question are: CVE-2011-2901 CVE-2011-1898 CVE-2012-0029 CVE-2011-1166 I''m also guessing that 3.4.5 will be released very soon, due to the recent CVEs (http://lists.xen.org/archives/html/xen-announce/2012-06/) ? I appreciate your time Many Thanks Jonathan