Am 24.10.18 um 17:24 schrieb Antoine Beaupré: > On 2018-10-23 14:03:37, Peter Dreuw wrote: >> Hello, everyone, >> >> I prepared another set of fixes based on the current Xen package on >> jessie-security (4.4.4lts2-0+deb8u1, DLA-1549). >> >> These fixes include >> >> CVE-2017-15595 / xsa 240 >> CVE-2017-15593 / xsa 242 >> CVE-2017-15592 / xsa 243 >> CVE-2017-16693 / xsa 244 >> CVE-2017-17044 / xsa 246 >> CVE-2017-17045 / xsa 247 >> CVE-2018-10472 / xsa 258 >> CVE-2018-10981 / xsa 262 >> >> The testing packages are available here: >> >> https://share.credativ.com/~pdr/xen-test/ > I'll be reviewing those diffs shortly, thanks! Thank you very much. >> These testing packages are auto generated by our new build system, so the >> package name is somewhat cryptic as it reflects the date and time of build >> as well as parts of the git hash it is based on. >> >> You can find the repository here: https://github.com/credativ/xen-lts >> >> dpkg might tell you about a potential downgrade, but you can ignore this for >> testing purposes safely. I expect them to be working but I would appreciate >> some feedback on this version before passing them to the public repository. > Did you do any kind of smoke testing or is that something that could be > useful per se? > > I always find it tricky to test Xen packages because, well... In what > environment do you test it? Qemu? Xen? Virtualbox? :)
I am testing the x86 packages on real hardware and virtual box. But of course, my hardware spectrum available for this is not to broad. In general, I make shure that my packages work for me before I would release them in any way ;) I'm working on integration of Xen fixes into old versions for a while, now. I already did this on the Xen 4.1 in Wheezy, fyi. The arm packages - which are currently not included in my request for feedback - are tested on Qemu only. But the arm-only bugs/fixes are mostly easy to done as the upstream patches apply and upstream does a great amount of testing. So I consider the work already done not harmful to the arm systems right now - at least if the x86 tests don't fail ;) >> I will head on to the next issues to fix. > I'm curious: what is your take on XSA-254 and the Meltdown/Spectre > issues in Xen? Are those fixable? I am not sure if this can be done with Xen 4.4 - at least not to a level of a 100% solution. Looking into the upstream code for e.g. 4.6 there are many changes that would need to be considered. I am thinking of this, currently, yes. The same goes to XSA 263 / CVE-2018-3639 XSA 267 / CVE-2018-3665 XSA 273 / CVE-2018-3620,CVE-2018-3646 The upstream fixes for these XSA rely on the XSA 254 work already done. So getting xsa 263/267/273 fixed would need to adapt much of the work done for xsa 254. > Should we consider encouraging people to switch to other virtualization > solutions in LTS/jessie considering the difficulty of mitigation in Xen > environments? > > Thanks, > > A. Hum, this looks like a need for a political answer ;) I honestly don't know if the difficulty level of mitigation in other old virtualization solutions is really lower. An alternative might be offering a version of a more recent Xen package. AFAIK there is a Xen 4.9 package in Jessie backports already, but this is not too fresh, I think. I know, LTS users might not like the idea of shifting to new versions but the spectre/meltdown issue is a class of its own when it comes to solutions. Cheers Peter -- Peter Dreuw Teamleiter Tel.: +49 2166 9901-155 Fax: +49 2166 9901-100 E-Mail: [email protected] gpg fingerprint: 33B0 82D3 D103 B594 E7D3 53C7 FBB6 3BD0 DB32 ED41 http://www.credativ.de/ ********************************************** Jetzt neu: Elephant Shed - PostgreSQL Appliance PostgreSQL und alles was dazugehört Von Backup über Monitoring bis Reporting: https://elephant-shed.io/index.de.html ********************************************** credativ GmbH, HRB Mönchengladbach 12080 USt-ID-Nummer: DE204566209 Trompeterallee 108, 41189 Mönchengladbach Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer Unser Umgang mit personenbezogenen Daten unterliegt folgenden Bestimmungen: https://www.credativ.de/datenschutz
<<attachment: peter_dreuw.vcf>>
