Am 24.10.18 um 20:34 schrieb Antoine Beaupré: >> I am not sure if this can be done with Xen 4.4 - at least not to a level >> of a 100% solution. Looking into the upstream code for e.g. 4.6 there >> are many changes that would need to be considered. I am thinking of >> this, currently, yes. The same goes to >> >> >> XSA 263 / CVE-2018-3639 >> >> XSA 267 / CVE-2018-3665 >> >> XSA 273 / CVE-2018-3620,CVE-2018-3646 >> >> The upstream fixes for these XSA rely on the XSA 254 work already done. >> So getting xsa 263/267/273 fixed would need to adapt much of the work >> done for xsa 254. > Right. It's a huge challenge and sensitive if not confusing code. yes, it is. I think it will be doable but I have no real idea how mich time this would consume. >>> Should we consider encouraging people to switch to other virtualization >>> solutions in LTS/jessie considering the difficulty of mitigation in Xen >>> environments? >> [...] > I am going with the assertion that Linux and KVM, in particular, is > being fixed in jessie. It may be flawed, but I know a lot of effort was > put in resolving those issues in the kernel, for obvious reasons. > > My impression was that mitigation has been much harder in Xen and that > many hosting providers were migrating away. For example, RedHat > recommends to migrate to KVM here as well: > > https://access.redhat.com/solutions/3307791
yes, I understand this point of view. On the other hand I am confident in the Xen project to provide a solution for these issues on supported versions, too. >> An alternative might be offering a version of a more recent Xen package. >> AFAIK there is a Xen 4.9 package in Jessie backports already, but this >> is not too fresh, I think. I know, LTS users might not like the idea of >> shifting to new versions but the spectre/meltdown issue is a class of >> its own when it comes to solutions. > My comments were not specifically regarding 4.4. From what I understand, > those issues affect all versions of Xen. I know at least that my old job > is migrating away from Xen completely, towards KVM, for that very > reason. But between migrating from Xen 4.4 to 4.9 and Xen to KVM, maybe > the former is easier. So if it actually fixes the "speculation" issues, > it might be worth it. > > But there is much... er... speculation on this on my part, I wish we had > a clearer picture of where all this stands right now. In any case, it > seems essential we make a (political? :) decision on the topic and > publicize it officially, maybe in a errata or DLA notice on the > announcement list. When it comes to speculation, I would say, there is no way of encouraging people using a LTS distribution moving to either another virtualization solution or to a more recent backport because we are talking about an LTS distribution. One of the key features of LTS distributions is avoiding migration and the risks of migration. My conclusion is: yes. It would be better to have a more recent version of Xen running, even maybe, following the RedHat recommendation shifting to KVM... But in this case, people could move to Stretch ;) So, the only option is fix the old code as good as possible. For some convenience, a more recent and fresh package of Xen, which behaves almost like the old one can be an easy to gain migration step, at least smaller than switching the complete distribution. > PS: after a short grace period, I suggest we actually upload the fixes > that are ready to the archive already. This will allow us to deliver > those fixes more quickly to our uses, but also provide a way to detect > which patches introduce regressions, if any. Yes, I think so. I have the next fixes in the pipeline to be reviewed. Cheers, Peter -- Peter Dreuw Teamleiter Tel.: +49 2166 9901-155 Fax: +49 2166 9901-100 E-Mail: [email protected] gpg fingerprint: 33B0 82D3 D103 B594 E7D3 53C7 FBB6 3BD0 DB32 ED41 http://www.credativ.de/ ********************************************** Jetzt neu: Elephant Shed - PostgreSQL Appliance PostgreSQL und alles was dazugehört Von Backup über Monitoring bis Reporting: https://elephant-shed.io/index.de.html ********************************************** credativ GmbH, HRB Mönchengladbach 12080 USt-ID-Nummer: DE204566209 Trompeterallee 108, 41189 Mönchengladbach Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer Unser Umgang mit personenbezogenen Daten unterliegt folgenden Bestimmungen: https://www.credativ.de/datenschutz
<<attachment: peter_dreuw.vcf>>
