Steven Timm
2007-Oct-01 17:17 UTC
[Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
Does anyone know if the Xen 3.1.0 kernels as distributed in the "open source" tarballs (x86_64 version) are vulnerable to the recently-announced vulnerability CVE-2007-4573? IF so, is there any plan to release patched tarballs anytime soon? Thanks Steve Timm -- ------------------------------------------------------------------ Steven C. Timm, Ph.D (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division, Scientific Computing Facilities, Grid Facilities Department, FermiGrid Services Group, Assistant Group Leader. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Itamar Reis Peixoto
2007-Oct-02 17:11 UTC
Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
I am happy with the fedora devel / rawhide xen packages (he have the lasted kernel) but I dont know if is vulnerable. I don''t know if is possible to use a 2.6.18 dom0 and a 2.6.23 xenU kernel , I belive should be possible in 32 bit systems, can anyone test this ? -------------------- Itamar Reis Peixoto e-mail/msn: itamar@ispbrasil.com.br skype: itamarjp icq: 81053601 +55 11 4063 5033 ----- Original Message ----- From: "S.Çağlar Onur" <caglar@pardus.org.tr> To: <xen-users@lists.xensource.com> Sent: Tuesday, October 02, 2007 5:52 PM Subject: Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable> _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
S.Çağlar Onur
2007-Oct-02 20:52 UTC
Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
Hi; 01 Eki 2007 Pts tarihinde, Steven Timm şunları yazmıştı:> Does anyone know if the Xen 3.1.0 kernels as distributed in > the "open source" tarballs (x86_64 version) are vulnerable to the > recently-announced vulnerability CVE-2007-4573? > IF so, is there any plan to release patched tarballs anytime soon?Yes it is. And current provided tarball also vulnerable against ~30 CVE+ (cause all these vulnerabilities are discovered after 2.6.18 which is Xen-3.x based on) so i suggest using your distros provided one instead of upstream one. Cheers -- S.Çağlar Onur <caglar@pardus.org.tr> http://cekirdek.pardus.org.tr/~caglar/ Linux is like living in a teepee. No Windows, no Gates and an Apache in house! _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Steven Timm
2007-Oct-03 18:12 UTC
Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
On Tue, 2 Oct 2007, S.Çalar Onur wrote:> Hi; > > 01 Eki 2007 Pts tarihinde, Steven Timm ÿÿunlarÿÿ yazmÿÿÿÿtÿÿ: >> Does anyone know if the Xen 3.1.0 kernels as distributed in >> the "open source" tarballs (x86_64 version) are vulnerable to the >> recently-announced vulnerability CVE-2007-4573? >> IF so, is there any plan to release patched tarballs anytime soon? > > Yes it is. And current provided tarball also vulnerable against ~30 CVE+ > (cause all these vulnerabilities are discovered after 2.6.18 which is Xen-3.x > based on) so i suggest using your distros provided one instead of upstream > one. > > CheersYou suggest "using your distro-provided one" but of course Red Hat only provides Xen 3.0.3, not Xen 3.1 which I need to run 64-bit host and 32-bit (or 64-bit) clients. Does anyone have a good recipe to merge xen 3.1.0 patches and 2.6.18-8.1.14 as distributed by RedHat and friends? x86_64 version, I mean. I know there is one there for the i386 version on the web site but there is not one for the x86_64 version. What are people doing who are running Xen 3.1 on redhat 5 and friends, but need to stay current with the many kernel security patches? Any help is appreciated. Steve Timm>-- ------------------------------------------------------------------ Steven C. Timm, Ph.D (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division, Scientific Computing Facilities, Grid Facilities Department, FermiGrid Services Group, Assistant Group Leader. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Fajar A. Nugraha
2007-Oct-04 01:31 UTC
Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
Itamar Reis Peixoto wrote:> > You suggest "using your distro-provided one" but of course Red Hat > only provides Xen 3.0.3, not Xen 3.1 which I need to run 64-bit host > and 32-bit (or 64-bit) clients. > > NO, TRY FEDORA 8 / RAWHIDE WITH LASTED XEN 3.1 >I believe kernels compiled for xen 3.0.3 can run on xen 3.1. So if you use : - Xen 3.1 - RHEL5 as domU or dom0 - same 64-bit or 32-bit for Xen/dom0/domU then you can use RHEL kernels. When you need to run 32 bit domU on the above scenario, I''d prefer to use 64-bit RHEL kernel with 32 bit userland. Regards, Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Steven Timm
2007-Oct-04 01:46 UTC
Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
On Thu, 4 Oct 2007, Fajar A. Nugraha wrote:> Itamar Reis Peixoto wrote: >> >> You suggest "using your distro-provided one" but of course Red Hat >> only provides Xen 3.0.3, not Xen 3.1 which I need to run 64-bit host >> and 32-bit (or 64-bit) clients. >> >> NO, TRY FEDORA 8 / RAWHIDE WITH LASTED XEN 3.1 >> > I believe kernels compiled for xen 3.0.3 can run on xen 3.1. So if you use : > - Xen 3.1 > - RHEL5 as domU or dom0 > - same 64-bit or 32-bit for Xen/dom0/domU > > then you can use RHEL kernels. > When you need to run 32 bit domU on the above scenario, I''d prefer to > use 64-bit RHEL kernel with 32 bit userland. > > Regards, > > Fajar >I guess what I am really trying to get at is the following: What, if anything, of the Xen code base is built into the kernel rpms that redhat 5 and friends distribute as kernel-xen (for instance, kernel-xen-2.6.18-8.1.14.el5, just released to patch the vulnerability that started this thread). Is there anything that''s version specific? Is there anything that ties it to xen 3.0.3? How can I look at the kernel config files and tell the difference, if necessary? I went and got the kernels from xensource that were compiled with xen 3.1.0 because people on this list told me that this was required to do what I wanted to do, namely 64bit dom0 plus 32bit PAE domU''s. I understand that a xen 3.0.3-compiled kernel could be a domU in this setup but not a dom0. Is this understanding wrong? Steve Timm> _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Fajar A. Nugraha
2007-Oct-04 03:41 UTC
Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
Steven Timm wrote:> On Thu, 4 Oct 2007, Fajar A. Nugraha wrote: > >> I believe kernels compiled for xen 3.0.3 can run on xen 3.1. So if >> you use : >> - Xen 3.1 >> - RHEL5 as domU or dom0 >> - same 64-bit or 32-bit for Xen/dom0/domU >> >> then you can use RHEL kernels. >> When you need to run 32 bit domU on the above scenario, I''d prefer to >> use 64-bit RHEL kernel with 32 bit userland. >> >> Regards, >> >> Fajar >> > > I guess what I am really trying to get at is the following: > What, if anything, of the Xen code base is built into > the kernel rpms that redhat 5 and friends distribute as kernel-xen > (for instance, kernel-xen-2.6.18-8.1.14.el5, just released > to patch the vulnerability that started this thread).Since you''re talking about kernel vulnerabilities, you can look at kernel-2.6.18-8.1.14.el5.src.rpm .src.rpm. In particular, look at the Changelog and Patch, and you''ll see something like Patch21263: linux-2.6-x86_64-entry-path-zero-extend-all-registers-after-ptrace.patch %changelog * Tue Sep 25 2007 Don Howard <dhoward@redhat.com> [2.6.18-8.1.14.el5] - Revert changes back to 2.6.18-8.1.10. - [x86_64] Zero extend all registers after ptrace in 32bit entry path (Anton Arapov ) [297871] {CVE-2007-4573} It''s not Xen-specific, so in regards to this vulnerability nothing from the Xen codebase is involved.> Is there anything that''s version specific? Is there anything > that ties it to xen 3.0.3?Source1: xen-%{xen_hv_cset}.tar.bz2 In theory, since Xen-3.1 kernel is also based on 2.6.18, you PROBABLY could change this one with sources from Xen-3.1, and rebuild the .src.rpm. Haven''t tried it though.> How can I look at the kernel config > files and tell the difference, if necessary? > > I went and got the kernels from xensource that were compiled with > xen 3.1.0Or you could try it the other way around. Use Xen''s source tarball, apply RH''s kernel patches, and compile it.> because people on this list told me that this was required > to do what I wanted to do, namely 64bit dom0 plus 32bit PAE domU''s. > I understand that a xen 3.0.3-compiled kernel could be a domU in this > setup but not a dom0. Is this understanding wrong? >RH kernels can run on xen 3.0.3 or xen 3.1, for dom0 or domU, as long as thy''re the same bits (e.g all 64 bit, or all 32bit). Using vendor kernel has the advantage that they will provide ready-to-use security updates. Note, however, that xen.gz is included in kernel-xen. This has some implications : - On dom0, this means that if you want to use RHEL5 kernel-xen on xen 3.1, you have to manually edit grub.conf to use xen.gz from xen 3.1 instead of the one from kernel-xen. - On domU, generally you don''t have to care whet dom0 is running. Whether xen 3.0.3 or xen 3.1, you can continue to use RH''s kernel-xen. If you want to use 32bit PAE domU on 64 bit xen/dom0, then you HAVE to use xen 3.1 domU kernel. Generally I wouldn''t bother, I''d simply use 64-bit kernel with 32-bit userland instead. Regards, Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Steven Timm
2007-Oct-04 04:13 UTC
Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
> Steven Timm wrote: >> On Thu, 4 Oct 2007, Fajar A. Nugraha wrote: >> >>> I believe kernels compiled for xen 3.0.3 can run on xen 3.1. So if >>> you use : >>> - Xen 3.1 >>> - RHEL5 as domU or dom0 >>> - same 64-bit or 32-bit for Xen/dom0/domU >>> >>> then you can use RHEL kernels. >>> When you need to run 32 bit domU on the above scenario, I''d prefer to >>> use 64-bit RHEL kernel with 32 bit userland. >>> >>> Regards, >>> >>> Fajar >>> >> >> I guess what I am really trying to get at is the following: >> What, if anything, of the Xen code base is built into >> the kernel rpms that redhat 5 and friends distribute as kernel-xen >> (for instance, kernel-xen-2.6.18-8.1.14.el5, just released >> to patch the vulnerability that started this thread). > > Since you''re talking about kernel vulnerabilities, you can look at > kernel-2.6.18-8.1.14.el5.src.rpm .src.rpm. In particular, look at the > Changelog and Patch, and you''ll see something like > > Patch21263: > linux-2.6-x86_64-entry-path-zero-extend-all-registers-after-ptrace.patch > > %changelog > * Tue Sep 25 2007 Don Howard <dhoward@redhat.com> [2.6.18-8.1.14.el5] > - Revert changes back to 2.6.18-8.1.10. > - [x86_64] Zero extend all registers after ptrace in 32bit entry path > (Anton Arapov ) [297871] {CVE-2007-4573} > > It''s not Xen-specific, so in regards to this vulnerability nothing from > the Xen codebase is involved. > >> Is there anything that''s version specific? Is there anything >> that ties it to xen 3.0.3? > Source1: xen-%{xen_hv_cset}.tar.bz2 > > In theory, since Xen-3.1 kernel is also based on 2.6.18, you PROBABLY > could change this one with sources from Xen-3.1, and rebuild the > .src.rpm. Haven''t tried it though.Thanks...this clarifies my questions. If anyone on the list has tried it, please let me know. Or if anyone knows if there are any plans to patch the stuff that''s on xen.xensource.com downloads page, either tarballs, or rpms, let me know too. Steve> >> How can I look at the kernel config >> files and tell the difference, if necessary? >> >> I went and got the kernels from xensource that were compiled with >> xen 3.1.0 > Or you could try it the other way around. Use Xen''s source tarball, > apply RH''s kernel patches, and compile it. > >> because people on this list told me that this was required >> to do what I wanted to do, namely 64bit dom0 plus 32bit PAE domU''s. >> I understand that a xen 3.0.3-compiled kernel could be a domU in this >> setup but not a dom0. Is this understanding wrong? >> > RH kernels can run on xen 3.0.3 or xen 3.1, for dom0 or domU, as long as > thy''re the same bits (e.g all 64 bit, or all 32bit). Using vendor kernel > has the advantage that they will provide ready-to-use security updates. > > Note, however, that xen.gz is included in kernel-xen. This has some > implications : > - On dom0, this means that if you want to use RHEL5 kernel-xen on xen > 3.1, you have to manually edit grub.conf to use xen.gz from xen 3.1 > instead of the one from kernel-xen. > - On domU, generally you don''t have to care whet dom0 is running. > Whether xen 3.0.3 or xen 3.1, you can continue to use RH''s kernel-xen. > > If you want to use 32bit PAE domU on 64 bit xen/dom0, then you HAVE to > use xen 3.1 domU kernel. Generally I wouldn''t bother, I''d simply use > 64-bit kernel with 32-bit userland instead. > > Regards, > > Fajar > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Itamar Reis Peixoto
2007-Oct-04 14:41 UTC
Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
> Hi; > > 01 Eki 2007 Pts tarihinde, Steven Timm ÿÿunlarÿÿ yazmÿÿÿÿtÿÿ: >> Does anyone know if the Xen 3.1.0 kernels as distributed in >> the "open source" tarballs (x86_64 version) are vulnerable to the >> recently-announced vulnerability CVE-2007-4573? >> IF so, is there any plan to release patched tarballs anytime soon? > > Yes it is. And current provided tarball also vulnerable against ~30 CVE+ > (cause all these vulnerabilities are discovered after 2.6.18 which is > Xen-3.x > based on) so i suggest using your distros provided one instead of upstream > one. > > CheersYou suggest "using your distro-provided one" but of course Red Hat only provides Xen 3.0.3, not Xen 3.1 which I need to run 64-bit host and 32-bit (or 64-bit) clients. NO, TRY FEDORA 8 / RAWHIDE WITH LASTED XEN 3.1 Does anyone have a good recipe to merge xen 3.1.0 patches and 2.6.18-8.1.14 as distributed by RedHat and friends? x86_64 version, I mean. I know there is one there for the i386 version on the web site but there is not one for the x86_64 version. What are people doing who are running Xen 3.1 on redhat 5 and friends, but need to stay current with the many kernel security patches? Any help is appreciated. Steve Timm>-------------------- Itamar Reis Peixoto e-mail/msn: itamar@ispbrasil.com.br skype: itamarjp icq: 81053601 +55 11 4063 5033 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Mark Williamson
2007-Oct-05 02:01 UTC
Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
> I am happy with the fedora devel / rawhide xen packages (he have the lasted > kernel) > > but I dont know if is vulnerable. > > > I don''t know if is possible to use a 2.6.18 dom0 and a 2.6.23 xenU kernel , > I belive should be possible in 32 bit systems, can anyone test this ?That should work fine. In general you can expect newer xenU kernels to run on older Xen, so long as they include compatibility with older Xen releases. The dom0 kernel version shouldn''t really matter much these days, since Xen and the tools can be upgraded independently of it. Cheers, Mark> > > -------------------- > > Itamar Reis Peixoto > > e-mail/msn: itamar@ispbrasil.com.br > skype: itamarjp > icq: 81053601 > +55 11 4063 5033 > ----- Original Message ----- > From: "S.Çağlar Onur" <caglar@pardus.org.tr> > To: <xen-users@lists.xensource.com> > Sent: Tuesday, October 02, 2007 5:52 PM > Subject: Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable > > > _______________________________________________ > > Xen-users mailing list > > Xen-users@lists.xensource.com > > http://lists.xensource.com/xen-users > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users-- Dave: Just a question. What use is a unicyle with no seat? And no pedals! Mark: To answer a question with a question: What use is a skateboard? Dave: Skateboards have wheels. Mark: My wheel has a wheel! _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Mark Williamson
2007-Oct-05 02:04 UTC
Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
> > You suggest "using your distro-provided one" but of course Red Hat > > only provides Xen 3.0.3, not Xen 3.1 which I need to run 64-bit host > > and 32-bit (or 64-bit) clients. > > > > NO, TRY FEDORA 8 / RAWHIDE WITH LASTED XEN 3.1 > > I believe kernels compiled for xen 3.0.3 can run on xen 3.1. So if you use > : - Xen 3.1 > - RHEL5 as domU or dom0 > - same 64-bit or 32-bit for Xen/dom0/domU > > then you can use RHEL kernels.Yes, that should work.> When you need to run 32 bit domU on the above scenario, I''d prefer to > use 64-bit RHEL kernel with 32 bit userland.In PV mode you can run 32-bit PAE guest kernels (as long as either your Xen and / or kernels are new enough for this feature) directly on a 64-bit HV, so this configuration shouldn''t be necessary anymore. Obviously, in HVM you can still run anything "equal or less than" the host Xen''s memory model. Cheers, Mark> > Regards, > > Fajar > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users-- Dave: Just a question. What use is a unicyle with no seat? And no pedals! Mark: To answer a question with a question: What use is a skateboard? Dave: Skateboards have wheels. Mark: My wheel has a wheel! _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Mark Williamson
2007-Oct-05 02:10 UTC
Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
> I guess what I am really trying to get at is the following: > What, if anything, of the Xen code base is built into > the kernel rpms that redhat 5 and friends distribute as kernel-xen > (for instance, kernel-xen-2.6.18-8.1.14.el5, just released > to patch the vulnerability that started this thread). > Is there anything that''s version specific? Is there anything > that ties it to xen 3.0.3? How can I look at the kernel config > files and tell the difference, if necessary?For a long time, Xen, dom0''s kernel and the dom0 tools had to be compiled from the same source tree in order to work together. Some time after Xen 3.0.3, (the 3.0.4 release if I recall correctly) the dom0 kernel was decoupled from this, so that from that point on you could use any released dom0 kernel with any subsequent version of Xen and the tools. However, you will not necessarily get full functionality unless you use a new enough dom0 kernel. In short: that kernel probably needs to be matched with a 3.0.3 Xen and tools in order for things to work properly.> I went and got the kernels from xensource that were compiled with > xen 3.1.0 because people on this list told me that this was required > to do what I wanted to do, namely 64bit dom0 plus 32bit PAE domU''s.I think that was probably me :-)> I understand that a xen 3.0.3-compiled kernel could be a domU in this > setup but not a dom0. Is this understanding wrong?It definitely couldn''t be a dom0. Actually, a 3.0.3 kernel quite possibly wouldn''t boot in 32-bit mode on a 64-bit Xen from the 3.1 release. That''s because of a fix that hadn''t yet been pushed at release time - when 3.1 came out, your 32-bit compat mode kernel needed to be a recent one or it wouldn''t work. The compatibility for older kernels was added later, so it''ll be in xen-unstable and I guess it''ll probably be in 3.1.1. Sorry for getting bogged down in a confusing sea of version numbers here. It''s partly because the interfaces keep changing, and because which interfaces can change is also changing :-) I''m not sure I''m in a very good state to be coherent, so I''ll stop here. If I don''t make sense, please ask more questions. Cheers, Mark -- Dave: Just a question. What use is a unicyle with no seat? And no pedals! Mark: To answer a question with a question: What use is a skateboard? Dave: Skateboards have wheels. Mark: My wheel has a wheel! _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Steven Timm
2007-Oct-05 02:35 UTC
Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
------------------------------------------------------------------ Steven C. Timm, Ph.D (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division, Scientific Computing Facilities, Grid Facilities Department, FermiGrid Services Group, Assistant Group Leader. On Fri, 5 Oct 2007, Mark Williamson wrote:>> I guess what I am really trying to get at is the following: >> What, if anything, of the Xen code base is built into >> the kernel rpms that redhat 5 and friends distribute as kernel-xen >> (for instance, kernel-xen-2.6.18-8.1.14.el5, just released >> to patch the vulnerability that started this thread). >> Is there anything that''s version specific? Is there anything >> that ties it to xen 3.0.3? How can I look at the kernel config >> files and tell the difference, if necessary? > > For a long time, Xen, dom0''s kernel and the dom0 tools had to be compiled from > the same source tree in order to work together. Some time after Xen 3.0.3, > (the 3.0.4 release if I recall correctly) the dom0 kernel was decoupled from > this, so that from that point on you could use any released dom0 kernel with > any subsequent version of Xen and the tools. However, you will not > necessarily get full functionality unless you use a new enough dom0 kernel. > > In short: that kernel probably needs to be matched with a 3.0.3 Xen and tools > in order for things to work properly.So is it your opinion that the solution proposed earlier in this thread, namely slapping the xen 3.1.0 hypervisor tarball into the source tree for redhat''s kernel-xen in place of the xen 3.0.3 tarball, may not work? I am not necessarily tied to running redhat-like 2.6.18 kernel variants (which of course incorporate a lot of patches from much higher versions of the kernel). I''m just trying to find a model where I can have an underlying redhat-like distro and still have some sort of clear patching path for the kernel..preferably without having to do all the building of kernels from source myself. And I am trying to figure out what other people like myself are doing--namely those who need to keep Xen 3.1.0 plus some kind of redhat working together and security-patched. Is there anyone on this list who has such a setup working at the moment? It may be slightly off-topic for this list, but do the people who are paying the cash to Xensource for the enterprise edition get these kind of patches or do they have the same dilemma? I''m learning a lot from this discussion and appreciate everyone''s help, but hopefully someone can point me to a solution of the form "here is what I did and it works" rather than "maybe this will work." Steve Timm> >> I went and got the kernels from xensource that were compiled with >> xen 3.1.0 because people on this list told me that this was required >> to do what I wanted to do, namely 64bit dom0 plus 32bit PAE domU''s. > > I think that was probably me :-) > >> I understand that a xen 3.0.3-compiled kernel could be a domU in this >> setup but not a dom0. Is this understanding wrong? > > It definitely couldn''t be a dom0. > > Actually, a 3.0.3 kernel quite possibly wouldn''t boot in 32-bit mode on a > 64-bit Xen from the 3.1 release. That''s because of a fix that hadn''t yet > been pushed at release time - when 3.1 came out, your 32-bit compat mode > kernel needed to be a recent one or it wouldn''t work. The compatibility for > older kernels was added later, so it''ll be in xen-unstable and I guess it''ll > probably be in 3.1.1. > > Sorry for getting bogged down in a confusing sea of version numbers here. > It''s partly because the interfaces keep changing, and because which > interfaces can change is also changing :-) > > I''m not sure I''m in a very good state to be coherent, so I''ll stop here. If I > don''t make sense, please ask more questions. > > Cheers, > Mark > > -- > Dave: Just a question. What use is a unicyle with no seat? And no pedals! > Mark: To answer a question with a question: What use is a skateboard? > Dave: Skateboards have wheels. > Mark: My wheel has a wheel! >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Fajar A. Nugraha
2007-Oct-05 03:09 UTC
Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
Steven Timm wrote:> And I am trying to figure out what other > people like myself are doing--namely those who need to keep > Xen 3.1.0 plus some kind of redhat working together and security-patched. > Is there anyone on this list who has such a setup working at the moment? >> > I''m learning a lot from this discussion and appreciate everyone''s > help, but hopefully someone can point me to a solution of the form > "here is > what I did and it works" rather than "maybe this will work." >>> >>> I understand that a xen 3.0.3-compiled kernel could be a domU in this >>> setup but not a dom0. Is this understanding wrong? >> >> It definitely couldn''t be a dom0. >>I''m using xen.gz and xen userland from Xen-3.1 (compiled from a modified RHEL''s xen .src.rpm), together with RHEL5''s kernel-xen (3.0.3) for dom0, with solaris and WinXP HVM domU, and it works. This way I have to maintain xen rpm manually (including fixing it for CVE-2007-4993, for example), but at least I can use RH''s kernel rpm. I chose this approach because : - I want to use something with a long support lifetime for both dom0 and domU, so Fedora is not an option. - I have little need for Xen 3.1. Most of my servers can run happily on RHEL5/Xen 3.0.3, so manually updating a small number of server is acceptable. If you want vendor-maintained xen and kernel, you could use Fedora 7 (or whatever distro that ships with Xen 3.1) for dom0, and have RHEL5 for domU. Of course, given the limited lifetime of Fedora, you should also prepare to upgrade your dom0 with the next Fedora/RHEL when its released. Regards, Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Fajar A. Nugraha
2007-Oct-05 04:08 UTC
Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
Mark Williamson wrote:>> I understand that a xen 3.0.3-compiled kernel could be a domU in this >> setup but not a dom0. Is this understanding wrong? >> > > It definitely couldn''t be a dom0. >And why is that? My current testing seems to works OK. Should I expect some bugs to pop-out later?> Actually, a 3.0.3 kernel quite possibly wouldn''t boot in 32-bit mode on a > 64-bit Xen from the 3.1 release. That''s because of a fix that hadn''t yet > been pushed at release time - when 3.1 came out, your 32-bit compat mode > kernel needed to be a recent one or it wouldn''t work. The compatibility for > older kernels was added later, so it''ll be in xen-unstable and I guess it''ll > probably be in 3.1.1. > >Which changeset are you refering to? Searching for "32 compat" on http://xenbits.xensource.com/xen-unstable.hg, I found these comments which seems relevant : - [32on64] Copy the right grant table status code back to the guest. - [32on64 kexec] Add an explicit local branch after re-enabling paging - 32-on-64: Fix error path where we fail to successfully switch a guest - 32-on-64: Fix error path from memory_op() hypercall. - Further fixes for 32on64 bit kexec. - Fix 32on64 kexec trampoline. This was broken when Xen was modified to all of which are also in xen-3.1-testing.hg Regards, Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Fajar A. Nugraha
2007-Oct-05 08:04 UTC
Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
Steven Timm wrote:> > I''m learning a lot from this discussion and appreciate everyone''s > help, but hopefully someone can point me to a solution of the form > "here is > what I did and it works" rather than "maybe this will work." >I have just updated my system (RHEL5) with these RPMS : http://yum.telkom.net.id/xen/rhe5-x86_64/ SRPMS are also available : http://yum.telkom.net.id/xen/SRPM/ This is for dom0, created from RH''s .src.rpm plus xen-3.1.1-rc3 (changeset 15461) plus little changes required to make it work. I still use RH''s kernel-xen for domUs. Regards, Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Mark Williamson
2007-Oct-06 20:49 UTC
Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
> Mark Williamson wrote: > >> I understand that a xen 3.0.3-compiled kernel could be a domU in this > >> setup but not a dom0. Is this understanding wrong? > > > > It definitely couldn''t be a dom0. > > And why is that? > My current testing seems to works OK. Should I expect some bugs to > pop-out later?Hmmm OK. I *thought* the dom0 interface had changed again between 3.0.3 and 3.1, which would suggest that at least some things wouldn''t work. Maybe I''m mistaken...> > Actually, a 3.0.3 kernel quite possibly wouldn''t boot in 32-bit mode on a > > 64-bit Xen from the 3.1 release. That''s because of a fix that hadn''t yet > > been pushed at release time - when 3.1 came out, your 32-bit compat mode > > kernel needed to be a recent one or it wouldn''t work. The compatibility > > for older kernels was added later, so it''ll be in xen-unstable and I > > guess it''ll probably be in 3.1.1. > > Which changeset are you refering to? > > Searching for "32 compat" on > http://xenbits.xensource.com/xen-unstable.hg, I found these comments > which seems relevant : > - [32on64] Copy the right grant table status code back to the guest. > - [32on64 kexec] Add an explicit local branch after re-enabling paging > - 32-on-64: Fix error path where we fail to successfully switch a guest > - 32-on-64: Fix error path from memory_op() hypercall. > - Further fixes for 32on64 bit kexec. > - Fix 32on64 kexec trampoline. This was broken when Xen was modified toI''m not clear on exact changesets. I understand the developments were along the following lines: First support for 32-on-64 was added to Xen and XenLinux; now new 32-bit PAE XenLinux kernels could run on 64-bit Xen. Then Xen 3.1 was released. Then support for older 32-bit PAE XenLinux kernels was added to the tools, which previously wouldn''t have been able to handle them.> all of which are also in xen-3.1-testing.hgThe fixes I was referring to may well have gone into xen-3.1-testing.hg and would then be going into 3.1.1 when it''s released. Cheers, Mark -- Dave: Just a question. What use is a unicyle with no seat? And no pedals! Mark: To answer a question with a question: What use is a skateboard? Dave: Skateboards have wheels. Mark: My wheel has a wheel! _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users