[Pkg-xen-devel] Xen package security updates for jessie 4.4, XSA-213, XSA-214
Ian Jackson
ian.jackson at eu.citrix.com
Fri May 5 14:20:22 UTC 2017
Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"):
> On Thu, May 04, 2017 at 08:18:07PM +0100, Ian Jackson wrote:
> > Can I do a source-only upload ?
>
> Unfortunately that's not supported by the dak installation on security-master
> for jessie-security, stretch-security will allow that soon.
I will see if I can find a clean jessie chroot somewhere.
> > diff --git a/debian/changelog b/debian/changelog
> > index 25361a61e4..a42f68d3a9 100644
> > --- a/debian/changelog
> > +++ b/debian/changelog
> > @@ -1,3 +1,12 @@
> > +xen (4.4.1-9+deb8u9) unstable; urgency=medium
>
> The distribution needs to be jessie-security.
Oops, yes, of course. (dgit would have caught that when I said push...)
> > + Security updates:
> > + * XSA-213: Closes:#861659: 64bit PV guest breakout
> > + * XSA-214: Closes:#861660: grant transfer PV privilege escalation
> > + * XSA-215: Closes:#861662: memory corruption via failsafe callback
>
> Let's also include fixes for https://xenbits.xen.org/xsa/advisory-212.html
> and https://xenbits.xen.org/xsa/advisory-200.html, for these even official
> 4.4 backports are available.
OK.
> Wrt CVE IDs, let's use the Debian CNA next time, it's really silly that MITRE
> still hasn't assigned something for XSA 213-215. We can assign those usually
> within 24 hours from the Debian pool.
I will need to talk to the rest of security at xen about this.
> The patches all look fine, but the content of
> multicall-deal-with-early-exit-condition is also included in the
> tree again (outside of debian/patches):
This is true of all the patches. The diff was a git diff of a
dgit-compatible tree (ie, a patches-applied tree). I can give you a
diff without the upstream changes if you want.
Ian.
More information about the Pkg-xen-devel
mailing list