On 2018-10-23 14:03:37, Peter Dreuw wrote: > Hello, everyone, > > I prepared another set of fixes based on the current Xen package on > jessie-security (4.4.4lts2-0+deb8u1, DLA-1549). > > These fixes include > > CVE-2017-15595 / xsa 240 > CVE-2017-15593 / xsa 242 > CVE-2017-15592 / xsa 243 > CVE-2017-16693 / xsa 244 > CVE-2017-17044 / xsa 246 > CVE-2017-17045 / xsa 247 > CVE-2018-10472 / xsa 258 > CVE-2018-10981 / xsa 262 > > The testing packages are available here: > > https://share.credativ.com/~pdr/xen-test/
I'll be reviewing those diffs shortly, thanks! > These testing packages are auto generated by our new build system, so the > package name is somewhat cryptic as it reflects the date and time of build as > well as parts of the git hash it is based on. > > You can find the repository here: https://github.com/credativ/xen-lts > > dpkg might tell you about a potential downgrade, but you can ignore this for > testing purposes safely. I expect them to be working but I would appreciate > some feedback on this version before passing them to the public repository. Did you do any kind of smoke testing or is that something that could be useful per se? I always find it tricky to test Xen packages because, well... In what environment do you test it? Qemu? Xen? Virtualbox? :) > I will head on to the next issues to fix. I'm curious: what is your take on XSA-254 and the Meltdown/Spectre issues in Xen? Are those fixable? Should we consider encouraging people to switch to other virtualization solutions in LTS/jessie considering the difficulty of mitigation in Xen environments? Thanks, A. -- The idea that Bill Gates has appeared like a knight in shining armour to lead all customers out of a mire of technological chaos neatly ignores the fact that it was he who, by peddling second-rate technology, led them into it in the first place. - Douglas Adams (1952-2001)
