Dear release team, On Sun, May 21, 2023 at 10:02:25PM +0200, Maximilian Engelhardt wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: x...@packages.debian.org, t...@security.debian.org, > m...@daemonizer.de > Control: affects -1 + src:xen > > Please unblock package xen. > > [ Reason ] > Xen in bookworm is currently affected by CVE-2022-42335 and > CVE-2022-42336 (see #1034842 and #1036298). > > [ Impact ] > The above mentioned CVEs are not fixed in bookworm. > > [ Tests ] > The Debian package is based only on upstream commits that have passed > the upstream automated tests. > The Debian package has been successfully tested by the xen packaging > team on their test machines. > > [ Risks ] > There could be upstream changes unrelated to the above mentioned > security fixes that cause regressions. However upstream has an automated > testing machinery (osstest) that only allows a commit in the upstream > stable branch if all test pass. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > This security fix is based on the latest upstream stable-4.17 branch. > The branch in general only accepts bug fixes and does not allow new > features, so the changes there are mainly security and other bug fixes. > This does not strictly follow the "only targeted fixes" release policy, > but, as explained below, we believe it is still appropriate for an > unblock request. > The package we have uploaded to unstable is exactly what we would have > done as a security update in a stable release, what we have historically > done together with the security team and are planning to continue to do. > As upstream does extensive automated testing on their stable branches > chances for unnoticed regressions are low. We believe this way the risk > for bugs is lower than trying to manually pick and adjust patches > without all the deep knowledge that upstream has. This approach is > similar to what the linux package is doing.
I can confirm that this is indeed the strategy for src:xen we would follow, like for bullseye already, as well in bookworm. Regards, Salvatore