Hi, Today I have finally been working on this. The result is that I at least have a new (WIP) version for buster. I'm running it on a dom0 right now and did smoke testing, live migrate, restarting domUs etc. It just works (tm).
This was the easy part, most of the work was assembling the changelog by copy-pasting things. I cross-checked with your list (below), which is nice, since we can check that way that the info from different points of view is the same (except for one entry it is). https://salsa.debian.org/xen-team/debian-xen/commits/knorrie/buster-security Now the interesting part begins, which is not so much about the stable security update, but more about what to do with unstable. We currently still have the same Xen version in unstable and in Buster. So, the most logical thing, which I mentioned before would be to have 4.11.3+24-g14b62ab3e5-1 in unstable and 4.11.3+24-g14b62ab3e5-1~deb10u1 in stable. However... https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=938843 And on Dec 15, python-pyxenstore REMOVED from testing So, I guess we're not supposed to upload something new to unstable that includes this package again and/or uses python 2. Also, we of course do not like a situation where the package in stable has a newer version number than the one in unstable. Checkmate... We (as in, Debian Xen team, which is Ian and I who are currently active) haven't been working on getting the latest greatest Xen into unstable for Bullseye yet. The most recent Xen release (4.13) includes python3 support which fixes that issue, but getting that in means we have to actively start working on newer packages now. This mostly means reserving a few days to work on it, since it's not a really trivial undertaking. Another ducttape-option is to put the same thing in unstable again, while stripping out python-pyxenstore from the control file, since it's not a required package for the average usecase. Still, xen-utils-4.11 contains a bunch of python 2 files, which apparently are still under the radar. I'm thinking out loud here, and am curious about what you and Ian can come up with. On 1/2/20 3:57 PM, Salvatore Bonaccorso wrote: > [...] > > There are several CVEs open for xen up to unstable, compiling a list > from the information from the security-tracker it looks those below. > > Any progress in getting those fixed at least for unstable already? > > CVE-2018-12207[0]: check, XSA-304 > CVE-2019-11135[1]: check, XAS-305 > CVE-2019-18420[2]: check, XSA-296 > CVE-2019-18421[3]: check, XSA-299 > CVE-2019-18422[4]: check, XSA-303 > CVE-2019-18423[5]: check, XSA-301 > CVE-2019-18424[6]: check, XSA-302 > CVE-2019-18425[7]: check, XSA-298 > CVE-2019-19577[8]: check, XSA-311 > CVE-2019-19578[9]: check, XSA-309 > CVE-2019-19579[10]: check, XSA-306 > CVE-2019-19580[11]: check, XSA-310 > CVE-2019-19581[12]: check, XSA-307 > CVE-2019-19582[13]: check, XSA-307 > CVE-2019-19583[14]: check, XSA-308 In the changelog, I also have a fix for: XSA-295 CVE-2019-17349 CVE-2019-17350 https://xenbits.xen.org/xsa/advisory-295.html > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. I also added a commit to put in the CVE numbers in previous changelog entries: https://salsa.debian.org/xen-team/debian-xen/commit/0ee295f5caf6178f64febeb976d7ea968e44a191 Is this ok/wanted/great/what-you-like? Because, regularly, the numbers are not available yet when we push out the update. Thanks, Hans van Kranenburg