Hi, Can anyone give the patch file download link for the below xen security for xen version 3.4 and 4.1? Since I couldn''t find the downloadable patch file for some of the CVE''s. CVE-2012-0029 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0029> - http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html (There is no download link for both xen 3.4 and 4.1) CVE-2012-2934 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2934> - http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html (There is no patch file to download of xen 3.4) CVE-2012-3432 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3432> - http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html (There is no download link for both xen 3.4 and 4.1) CVE-2012-3433 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3433> - http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html (There is no download link for both xen 3.4 and 4.1) CVE-2012-3497 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3497> - http://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.html (There is no download link for patch) Also I have some doubts for the below CVE''s. CVE-2012-3496 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3496> - Is this vulnerability affected for xen 4.x only or it does include for xen 3.4 too? Since the patch name was *xsa14-xen-3.4-and-4.x.patch<http://lists.xen.org/archives/html/xen-announce/2012-09/bin_3Uh1V9Hnc.bin> * http://lists.xen.org/archives/html/xen-announce/2012-09/msg00002.html CVE-2012-3516 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3516> - Shall I apply this unstable for patch for xen4.2 too? http://lists.xen.org/archives/html/xen-announce/2012-09/msg00004.html _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Hi, Can anyone give the patch file download link for the below xen security for xen version 3.4 and 4.1? Since I couldn''t find the downloadable patch file for some of the CVE''s. CVE-2012-0029 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0029> - http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html (There is no download link for both xen 3.4 and 4.1) CVE-2012-2934 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2934> - http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html (There is no patch file to download of xen 3.4) CVE-2012-3432 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3432> - http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html (There is no download link for both xen 3.4 and 4.1) CVE-2012-3433 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3433> - http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html (There is no download link for both xen 3.4 and 4.1) CVE-2012-3497 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3497> - http://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.html (There is no download link for patch) Also I have some doubts for the below CVE''s. CVE-2012-3496 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3496> - Is this vulnerability affected for xen 4.x only or it does include for xen 3.4 too? Since the patch name was *xsa14-xen-3.4-and-4.x.patch<http://lists.xen.org/archives/html/xen-announce/2012-09/bin_3Uh1V9Hnc.bin> * http://lists.xen.org/archives/html/xen-announce/2012-09/msg00002.html CVE-2012-3516 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3516> - Shall I apply this unstable for patch for xen4.2 too? http://lists.xen.org/archives/html/xen-announce/2012-09/msg00004.html _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
On Thu, 2012-09-06 at 09:31 +0100, kk s wrote:> Hi, > > Can anyone give the patch file download link for the below xen > security for xen version 3.4 and 4.1? Since I couldn''t find the > downloadable patch file for some of the CVE''s. > > CVE-2012-0029 - http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html (There is no download link for both xen 3.4 and 4.1) > CVE-2012-2934 - http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html (There is no patch file to download of xen 3.4) > CVE-2012-3432 - http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html (There is no download link for both xen 3.4 and 4.1) > CVE-2012-3433 - http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html (There is no download link for both xen 3.4 and 4.1)It looks to me like there are changeset references and/or patches for all of these in the advisories. You might find it easier to follow: http://wiki.xen.org/wiki/Security_Announcements You can also always look in the appropriate xen-X.Y-testing.hg tree for the fix.> CVE-2012-3497 - http://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.html (There is no download link for patch)This is quite clearly explained in the advisory.> Also I have some doubts for the below CVE''s. > > CVE-2012-3496 - Is this vulnerability affected for xen 4.x only or it > does include for xen 3.4 too? Since the patch name was > xsa14-xen-3.4-and-4.x.patch > http://lists.xen.org/archives/html/xen-announce/2012-09/msg00002.htmlYes, it looks like this effects 3.4 too.> CVE-2012-3516 - Shall I apply this unstable for patch for xen4.2 too? > http://lists.xen.org/archives/html/xen-announce/2012-09/msg00004.htmlThe advisory says "Xen-unstable, including Xen 4.2 release candidates are vulnerable to this issue.", so yes, obviously. In the future please carefully read the advisories before asking lots of questions, almost everything you have asked is addressed in the advisory texts AFAICT. Ian.
On Thu, 2012-09-06 at 09:31 +0100, kk s wrote:> Hi, > > Can anyone give the patch file download link for the below xen > security for xen version 3.4 and 4.1? Since I couldn''t find the > downloadable patch file for some of the CVE''s. > > CVE-2012-0029 - http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html (There is no download link for both xen 3.4 and 4.1) > CVE-2012-2934 - http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html (There is no patch file to download of xen 3.4) > CVE-2012-3432 - http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html (There is no download link for both xen 3.4 and 4.1) > CVE-2012-3433 - http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html (There is no download link for both xen 3.4 and 4.1)It looks to me like there are changeset references and/or patches for all of these in the advisories. You might find it easier to follow: http://wiki.xen.org/wiki/Security_Announcements You can also always look in the appropriate xen-X.Y-testing.hg tree for the fix.> CVE-2012-3497 - http://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.html (There is no download link for patch)This is quite clearly explained in the advisory.> Also I have some doubts for the below CVE''s. > > CVE-2012-3496 - Is this vulnerability affected for xen 4.x only or it > does include for xen 3.4 too? Since the patch name was > xsa14-xen-3.4-and-4.x.patch > http://lists.xen.org/archives/html/xen-announce/2012-09/msg00002.htmlYes, it looks like this effects 3.4 too.> CVE-2012-3516 - Shall I apply this unstable for patch for xen4.2 too? > http://lists.xen.org/archives/html/xen-announce/2012-09/msg00004.htmlThe advisory says "Xen-unstable, including Xen 4.2 release candidates are vulnerable to this issue.", so yes, obviously. In the future please carefully read the advisories before asking lots of questions, almost everything you have asked is addressed in the advisory texts AFAICT. Ian.
Hi Ian, Thanks for your reply. Sorry to bother you with this. I am bit confused and so I am asking to make clear myself. Reg CVE-2012-2934 - http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html Is Xen 3.4 too affected with this vulnerable? If so I couldn''t find the patch for xen 3.4 and it does exit for xen 4.x only. I don''t how to apply the following patches since I have created rpm with patches applied that included as downloadable file. But for these patches I am not seeing any downloadable file. http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html If you can clear this for me that would be great :) I hope that I am replying in correct way. On Thu, Sep 6, 2012 at 2:26 PM, Ian Campbell <Ian.Campbell@citrix.com>wrote:> On Thu, 2012-09-06 at 09:31 +0100, kk s wrote: > > Hi, > > > > Can anyone give the patch file download link for the below xen > > security for xen version 3.4 and 4.1? Since I couldn''t find the > > downloadable patch file for some of the CVE''s. > > > > CVE-2012-0029 - > http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html (There is no download link for both xen 3.4 and 4.1) > > CVE-2012-2934 - > http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html (There is no patch file to download of xen 3.4) > > CVE-2012-3432 - > http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html (There is no download link for both xen 3.4 and 4.1) > > CVE-2012-3433 - > http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html (There is no download link for both xen 3.4 and 4.1) > > It looks to me like there are changeset references and/or patches for > all of these in the advisories. You might find it easier to follow: > http://wiki.xen.org/wiki/Security_Announcements > > You can also always look in the appropriate xen-X.Y-testing.hg tree for > the fix. > > > CVE-2012-3497 - > http://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.html (There is no download link for patch) > > This is quite clearly explained in the advisory. > > > Also I have some doubts for the below CVE''s. > > > > CVE-2012-3496 - Is this vulnerability affected for xen 4.x only or it > > does include for xen 3.4 too? Since the patch name was > > xsa14-xen-3.4-and-4.x.patch > > http://lists.xen.org/archives/html/xen-announce/2012-09/msg00002.html > > Yes, it looks like this effects 3.4 too. > > > CVE-2012-3516 - Shall I apply this unstable for patch for xen4.2 too? > > http://lists.xen.org/archives/html/xen-announce/2012-09/msg00004.html > > The advisory says "Xen-unstable, including Xen 4.2 release candidates > are vulnerable to this issue.", so yes, obviously. > > In the future please carefully read the advisories before asking lots of > questions, almost everything you have asked is addressed in the advisory > texts AFAICT. > > Ian. > > >_______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
Hi Ian, Thanks for your reply. Sorry to bother you with this. I am bit confused and so I am asking to make clear myself. Reg CVE-2012-2934 - http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html Is Xen 3.4 too affected with this vulnerable? If so I couldn''t find the patch for xen 3.4 and it does exit for xen 4.x only. I don''t how to apply the following patches since I have created rpm with patches applied that included as downloadable file. But for these patches I am not seeing any downloadable file. http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html If you can clear this for me that would be great :) I hope that I am replying in correct way. On Thu, Sep 6, 2012 at 2:26 PM, Ian Campbell <Ian.Campbell@citrix.com>wrote:> On Thu, 2012-09-06 at 09:31 +0100, kk s wrote: > > Hi, > > > > Can anyone give the patch file download link for the below xen > > security for xen version 3.4 and 4.1? Since I couldn''t find the > > downloadable patch file for some of the CVE''s. > > > > CVE-2012-0029 - > http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html (There is no download link for both xen 3.4 and 4.1) > > CVE-2012-2934 - > http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html (There is no patch file to download of xen 3.4) > > CVE-2012-3432 - > http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html (There is no download link for both xen 3.4 and 4.1) > > CVE-2012-3433 - > http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html (There is no download link for both xen 3.4 and 4.1) > > It looks to me like there are changeset references and/or patches for > all of these in the advisories. You might find it easier to follow: > http://wiki.xen.org/wiki/Security_Announcements > > You can also always look in the appropriate xen-X.Y-testing.hg tree for > the fix. > > > CVE-2012-3497 - > http://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.html (There is no download link for patch) > > This is quite clearly explained in the advisory. > > > Also I have some doubts for the below CVE''s. > > > > CVE-2012-3496 - Is this vulnerability affected for xen 4.x only or it > > does include for xen 3.4 too? Since the patch name was > > xsa14-xen-3.4-and-4.x.patch > > http://lists.xen.org/archives/html/xen-announce/2012-09/msg00002.html > > Yes, it looks like this effects 3.4 too. > > > CVE-2012-3516 - Shall I apply this unstable for patch for xen4.2 too? > > http://lists.xen.org/archives/html/xen-announce/2012-09/msg00004.html > > The advisory says "Xen-unstable, including Xen 4.2 release candidates > are vulnerable to this issue.", so yes, obviously. > > In the future please carefully read the advisories before asking lots of > questions, almost everything you have asked is addressed in the advisory > texts AFAICT. > > Ian. > > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
On Thu, 2012-09-06 at 10:08 +0100, kk s wrote:> Hi Ian, > > Thanks for your reply. Sorry to bother you with this. I am bit > confused and so I am asking to make clear myself. > > Reg CVE-2012-2934 - > http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html > Is Xen 3.4 too affected with this vulnerable? If so I couldn''t find > the patch for xen 3.4 and it does exit for xen 4.x only.I expect it does effect 3.4, but only if you are running on one of the listed processors. security@xen.org doesn''t provide security support for 3.4 any more. If you aren''t able to backport the 4.0 patch yourself, you would need to speak to Keith Coleman who is the 3.4 stable maintainer.> I don''t how to apply the following patches since I have created rpm > with patches applied that included as downloadable file. But for these > patches I am not seeing any downloadable file. > > http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html > http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html > http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html > > If you can clear this for me that would be great :)I already pointed you at http://wiki.xen.org/wiki/Security_Announcements which should have all the links you need.
On Thu, 2012-09-06 at 10:08 +0100, kk s wrote:> Hi Ian, > > Thanks for your reply. Sorry to bother you with this. I am bit > confused and so I am asking to make clear myself. > > Reg CVE-2012-2934 - > http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html > Is Xen 3.4 too affected with this vulnerable? If so I couldn''t find > the patch for xen 3.4 and it does exit for xen 4.x only.I expect it does effect 3.4, but only if you are running on one of the listed processors. security@xen.org doesn''t provide security support for 3.4 any more. If you aren''t able to backport the 4.0 patch yourself, you would need to speak to Keith Coleman who is the 3.4 stable maintainer.> I don''t how to apply the following patches since I have created rpm > with patches applied that included as downloadable file. But for these > patches I am not seeing any downloadable file. > > http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html > http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html > http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html > > If you can clear this for me that would be great :)I already pointed you at http://wiki.xen.org/wiki/Security_Announcements which should have all the links you need.
Hi, It looks like the patch that has been provided on Xen Security Advisory 11 (CVE-2012-3433) doesn''t applied for Xen 3.4.4. When I try to apply this patch and I am getting the below error, 1 out of 1 hunk FAILED -- saving rejects to file xen/arch/x86/mm/p2m.c.rej 1 out of 1 hunk FAILED -- saving rejects to file xen/arch/x86/mm/p2m.c.rej Seems there is no for loop "for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ )" on xen/arch/x86/mm/p2m.c.rej on xen3.4.4 source instead if loop only exists. p2m.c: && (gfn + (1UL << page_order) - 1 > d->arch.p2m->max_mapped_pfn) ) p2m.c: d->arch.p2m->max_mapped_pfn = gfn + (1UL << page_order) - 1; p2m.c: if ( gfn > d->arch.p2m->max_mapped_pfn ) p2m.c: if ( gfn <= current->domain->arch.p2m->max_mapped_pfn ) p2m.c: if ( test_linear && (gfn <= d->arch.p2m->max_mapped_pfn) ) p2m.c.orig: && (gfn + (1UL << page_order) - 1 > d->arch.p2m->max_mapped_pfn) ) p2m.c.orig: d->arch.p2m->max_mapped_pfn = gfn + (1UL << page_order) - 1; p2m.c.orig: if ( gfn > d->arch.p2m->max_mapped_pfn ) p2m.c.orig: if ( gfn <= current->domain->arch.p2m->max_mapped_pfn ) p2m.c.orig: if ( test_linear && (gfn <= d->arch.p2m->max_mapped_pfn) ) p2m.c.rej: for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ ) p2m.c.rej: for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ ) So I guess this patch applicable for Xen 4.x only. If you update the patch for Xen 3.4 that would be great. On Thu, Sep 6, 2012 at 2:43 PM, Ian Campbell <Ian.Campbell@citrix.com>wrote:> On Thu, 2012-09-06 at 10:08 +0100, kk s wrote: > > Hi Ian, > > > > Thanks for your reply. Sorry to bother you with this. I am bit > > confused and so I am asking to make clear myself. > > > > Reg CVE-2012-2934 - > > http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html > > Is Xen 3.4 too affected with this vulnerable? If so I couldn''t find > > the patch for xen 3.4 and it does exit for xen 4.x only. > > I expect it does effect 3.4, but only if you are running on one of the > listed processors. > > security@xen.org doesn''t provide security support for 3.4 any more. If > you aren''t able to backport the 4.0 patch yourself, you would need to > speak to Keith Coleman who is the 3.4 stable maintainer. > > > I don''t how to apply the following patches since I have created rpm > > with patches applied that included as downloadable file. But for these > > patches I am not seeing any downloadable file. > > > > http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html > > http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html > > http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html > > > > If you can clear this for me that would be great :) > > I already pointed you at http://wiki.xen.org/wiki/Security_Announcements > which should have all the links you need. > > >_______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
Hi, It looks like the patch that has been provided on Xen Security Advisory 11 (CVE-2012-3433) doesn''t applied for Xen 3.4.4. When I try to apply this patch and I am getting the below error, 1 out of 1 hunk FAILED -- saving rejects to file xen/arch/x86/mm/p2m.c.rej 1 out of 1 hunk FAILED -- saving rejects to file xen/arch/x86/mm/p2m.c.rej Seems there is no for loop "for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ )" on xen/arch/x86/mm/p2m.c.rej on xen3.4.4 source instead if loop only exists. p2m.c: && (gfn + (1UL << page_order) - 1 > d->arch.p2m->max_mapped_pfn) ) p2m.c: d->arch.p2m->max_mapped_pfn = gfn + (1UL << page_order) - 1; p2m.c: if ( gfn > d->arch.p2m->max_mapped_pfn ) p2m.c: if ( gfn <= current->domain->arch.p2m->max_mapped_pfn ) p2m.c: if ( test_linear && (gfn <= d->arch.p2m->max_mapped_pfn) ) p2m.c.orig: && (gfn + (1UL << page_order) - 1 > d->arch.p2m->max_mapped_pfn) ) p2m.c.orig: d->arch.p2m->max_mapped_pfn = gfn + (1UL << page_order) - 1; p2m.c.orig: if ( gfn > d->arch.p2m->max_mapped_pfn ) p2m.c.orig: if ( gfn <= current->domain->arch.p2m->max_mapped_pfn ) p2m.c.orig: if ( test_linear && (gfn <= d->arch.p2m->max_mapped_pfn) ) p2m.c.rej: for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ ) p2m.c.rej: for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ ) So I guess this patch applicable for Xen 4.x only. If you update the patch for Xen 3.4 that would be great. On Thu, Sep 6, 2012 at 2:43 PM, Ian Campbell <Ian.Campbell@citrix.com>wrote:> On Thu, 2012-09-06 at 10:08 +0100, kk s wrote: > > Hi Ian, > > > > Thanks for your reply. Sorry to bother you with this. I am bit > > confused and so I am asking to make clear myself. > > > > Reg CVE-2012-2934 - > > http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html > > Is Xen 3.4 too affected with this vulnerable? If so I couldn''t find > > the patch for xen 3.4 and it does exit for xen 4.x only. > > I expect it does effect 3.4, but only if you are running on one of the > listed processors. > > security@xen.org doesn''t provide security support for 3.4 any more. If > you aren''t able to backport the 4.0 patch yourself, you would need to > speak to Keith Coleman who is the 3.4 stable maintainer. > > > I don''t how to apply the following patches since I have created rpm > > with patches applied that included as downloadable file. But for these > > patches I am not seeing any downloadable file. > > > > http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html > > http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html > > http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html > > > > If you can clear this for me that would be great :) > > I already pointed you at http://wiki.xen.org/wiki/Security_Announcements > which should have all the links you need. > > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel