Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214

Ian Jackson-11
Ian Jackson writes ("64bit PV guest breakout [XSA-213]"):
> Source: xen
> Version: 4.4.1-9
> Severity: important
> Tags: security upstream fixed-upstream
>
> See
>   https://xenbits.xen.org/xsa/advisory-213.html

Ian Jackson writes ("grant transfer allows PV guest to elevate privileges [XSA-214]"):
> Source: xen
> Version: 4.4.1-9
> Severity: important
> Tags: security upstream fixed-upstream
>
> See
>   https://xenbits.xen.org/xsa/advisory-214.html

I have fixed these in stretch but the jessie package remains unfixed.
I think I may be able to find some backports somewhere.  Would that be
useful ?  Is anyone else working on this ?

Ian.

Reply | Threaded
Open this post in threaded view
|

Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214

Moritz Mühlenhoff-2
On Thu, May 04, 2017 at 05:06:07PM +0100, Ian Jackson wrote:

> Ian Jackson writes ("64bit PV guest breakout [XSA-213]"):
> > Source: xen
> > Version: 4.4.1-9
> > Severity: important
> > Tags: security upstream fixed-upstream
> >
> > See
> >   https://xenbits.xen.org/xsa/advisory-213.html
>
> Ian Jackson writes ("grant transfer allows PV guest to elevate privileges [XSA-214]"):
> > Source: xen
> > Version: 4.4.1-9
> > Severity: important
> > Tags: security upstream fixed-upstream
> >
> > See
> >   https://xenbits.xen.org/xsa/advisory-214.html
>
> I have fixed these in stretch but the jessie package remains unfixed.
> I think I may be able to find some backports somewhere.  Would that be
> useful ?  Is anyone else working on this ?

Yes, please!

Cheers,
        Moritz

Reply | Threaded
Open this post in threaded view
|

Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214

Ian Jackson-11
Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"):
> On Thu, May 04, 2017 at 05:06:07PM +0100, Ian Jackson wrote:
> > I have fixed these in stretch but the jessie package remains unfixed.
> > I think I may be able to find some backports somewhere.  Would that be
> > useful ?  Is anyone else working on this ?
>
> Yes, please!

Working on it now.  What shall I do with my resulting package ?

Should I put jessie-security in the debian/changelog and dgit push it
(ie, from many people's pov, dput it) ?

Ian.

Reply | Threaded
Open this post in threaded view
|

Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214

Moritz Mühlenhoff-2
On Thu, May 04, 2017 at 05:59:18PM +0100, Ian Jackson wrote:

> Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"):
> > On Thu, May 04, 2017 at 05:06:07PM +0100, Ian Jackson wrote:
> > > I have fixed these in stretch but the jessie package remains unfixed.
> > > I think I may be able to find some backports somewhere.  Would that be
> > > useful ?  Is anyone else working on this ?
> >
> > Yes, please!
>
> Working on it now.  What shall I do with my resulting package ?
>
> Should I put jessie-security in the debian/changelog and dgit push it
> (ie, from many people's pov, dput it) ?

Yes, the distribution line should be jessie-security, but please send
a debdiff to [hidden email] for a quick review before
uploading (I have no idea whether dgit supports security-master).

Cheers,
        Moritz

Reply | Threaded
Open this post in threaded view
|

Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214

Ian Jackson-11
Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"):
> On Thu, May 04, 2017 at 05:59:18PM +0100, Ian Jackson wrote:
> > Should I put jessie-security in the debian/changelog and dgit push it
> > (ie, from many people's pov, dput it) ?
>
> Yes, the distribution line should be jessie-security, but please send
> a debdiff to [hidden email] for a quick review before
> uploading (I have no idea whether dgit supports security-master).

I'll send you a debdiff, thanks.  I guess I'll find out whether dgit
does work or not.

I need to check the armhf build, since there are conflicts there.  I
don't think I can conveniently test the armhf version.

Ian.

Reply | Threaded
Open this post in threaded view
|

Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214

Moritz Mühlenhoff-2
On Thu, May 04, 2017 at 06:19:07PM +0100, Ian Jackson wrote:

> Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"):
> > On Thu, May 04, 2017 at 05:59:18PM +0100, Ian Jackson wrote:
> > > Should I put jessie-security in the debian/changelog and dgit push it
> > > (ie, from many people's pov, dput it) ?
> >
> > Yes, the distribution line should be jessie-security, but please send
> > a debdiff to [hidden email] for a quick review before
> > uploading (I have no idea whether dgit supports security-master).
>
> I'll send you a debdiff, thanks.  I guess I'll find out whether dgit
> does work or not.
>
> I need to check the armhf build, since there are conflicts there.  I
> don't think I can conveniently test the armhf version.

You mean CVE-2016-9815-CVE-2016-9818? We can simply leave them unfixed/ignored
I guess, it's not that there's any arm-based cloud hosting companies
running jessie on arm :-)

Cheers,
        Moritz

Reply | Threaded
Open this post in threaded view
|

Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214

Ian Jackson-11
Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"):
> On Thu, May 04, 2017 at 06:19:07PM +0100, Ian Jackson wrote:
> > I need to check the armhf build, since there are conflicts there.  I
> > don't think I can conveniently test the armhf version.
>
> You mean CVE-2016-9815-CVE-2016-9818? We can simply leave them
> unfixed/ignored I guess, it's not that there's any arm-based cloud
> hosting companies running jessie on arm :-)

No.  I mean XSA-213, which doesn't have a CVE because MITRE :-/.

Ian.