Bug#1021668: [Pkg-xen-devel] Bug#1021668: xen: CVE-2022-33749 CVE-2022-33748 CVE-2022-33747 CVE-2022-33746
Hi,
On Wed, Nov 02, 2022 at 08:02:26PM +0100, Hans van Kranenburg wrote:
> Hi,
>
> On 10/19/22 21:55, Moritz Muehlenhoff wrote:
> >>> For the latest set of Xen issues my estimate is that we can postpone
> >>> them until the next batch, they seem all of moderate/limited impact.
> >>> But let me know if you think otherwise.
> >>
> >> I agree. Let's do them together with the new stuff that's planned for
> >> Nov 1st, https://xenbits.xen.org/xsa/
> >
> > Ack, I've updated the Security Tracker.
>
> I'm having a look at this now, and while writing the changelog entry, I
> run into the following thing:
>
> XSA-403 has 4 CVE numbers. AFAIUI the first two are about the fixes done
> to Linux, and the other two are about changes to Xen. Shouldn't the
> Debian security tracker reflect that?
>
> CVE-2022-26365 CVE-2022-33740 -> src:linux only ?
> CVE-2022-33741 CVE-2022-33742 -> src:xen only ?
Speaking for src:linux I do not think we need to change the tracking:
CVE-2022-26365: 2f446ffe9d73 ("xen/blkfront: fix leaking data in shared pages")
CVE-2022-33740: 307c8de2b023 ("xen/netfront: fix leaking data in shared pages")
CVE-2022-33741: 4491001c2e0f ("xen/netfront: force data bouncing when backend
is untrusted")
CVE-2022-33742: 2400617da7ee ("xen/blkfront: force data bouncing when backend
is untrusted")
Regards,
Salvatore
Bug#1021668: [Pkg-xen-devel] Bug#1021668: xen: CVE-2022-33749 CVE-2022-33748 CVE-2022-33747 CVE-2022-33746
Hi, On 10/19/22 21:55, Moritz Muehlenhoff wrote: >>> For the latest set of Xen issues my estimate is that we can postpone >>> them until the next batch, they seem all of moderate/limited impact. >>> But let me know if you think otherwise. >> >> I agree. Let's do them together with the new stuff that's planned for >> Nov 1st, https://xenbits.xen.org/xsa/ > > Ack, I've updated the Security Tracker. I'm having a look at this now, and while writing the changelog entry, I run into the following thing: XSA-403 has 4 CVE numbers. AFAIUI the first two are about the fixes done to Linux, and the other two are about changes to Xen. Shouldn't the Debian security tracker reflect that? CVE-2022-26365 CVE-2022-33740 -> src:linux only ? CVE-2022-33741 CVE-2022-33742 -> src:xen only ? And for XSA-403, at first upstream was unsure about what to do for older Xen versions where the patches would be an ABI breaker. In the end, they did apply the more coarse-grained patch to at least offer some kind of mitigation in case a user wants to use it. So, the changelog line I'm including now will just be: - Linux disk/nic frontends data leaks XSA-403 CVE-2022-33741 CVE-2022-33742 HTH, Hans
Bug#1021668: [Pkg-xen-devel] Bug#1021668: xen: CVE-2022-33749 CVE-2022-33748 CVE-2022-33747 CVE-2022-33746
> > For the latest set of Xen issues my estimate is that we can postpone > > them until the next batch, they seem all of moderate/limited impact. > > But let me know if you think otherwise. > > I agree. Let's do them together with the new stuff that's planned for > Nov 1st, https://xenbits.xen.org/xsa/ Ack, I've updated the Security Tracker. Cheers, Moritz
Bug#1021668: [Pkg-xen-devel] Bug#1021668: xen: CVE-2022-33749 CVE-2022-33748 CVE-2022-33747 CVE-2022-33746
Hi, On 18/10/2022 22:31, Moritz Muehlenhoff wrote: > On Tue, Oct 18, 2022 at 02:17:32PM +0200, Hans van Kranenburg wrote: >> Does explicitly opening a BTS bug mean that, like we use to call it, >> "these CVEs warrant a DSA", > > No, in general we aim to file bugs for any open CVEs regardless of > the DSA state. This allows people to see that an issue is known > (and some maintainers might also not have noticed in time). Ok! >> and that it is a request for an ASAP package >> update and preparing a security update for stable, or, is this a new >> thing where BTS bugs are opened for packages, just in case the >> maintainer did not already track security issues themselves actively? > > For the latest set of Xen issues my estimate is that we can postpone > them until the next batch, they seem all of moderate/limited impact. > But let me know if you think otherwise. I agree. Let's do them together with the new stuff that's planned for Nov 1st, https://xenbits.xen.org/xsa/ Hans
Bug#1021668: [Pkg-xen-devel] Bug#1021668: xen: CVE-2022-33749 CVE-2022-33748 CVE-2022-33747 CVE-2022-33746
On Tue, Oct 18, 2022 at 02:17:32PM +0200, Hans van Kranenburg wrote: > Does explicitly opening a BTS bug mean that, like we use to call it, > "these CVEs warrant a DSA", No, in general we aim to file bugs for any open CVEs regardless of the DSA state. This allows people to see that an issue is known (and some maintainers might also not have noticed in time). > and that it is a request for an ASAP package > update and preparing a security update for stable, or, is this a new > thing where BTS bugs are opened for packages, just in case the > maintainer did not already track security issues themselves actively? For the latest set of Xen issues my estimate is that we can postpone them until the next batch, they seem all of moderate/limited impact. But let me know if you think otherwise. Cheers, Moritz
Bug#1021668: [Pkg-xen-devel] Bug#1021668: xen: CVE-2022-33749 CVE-2022-33748 CVE-2022-33747 CVE-2022-33746
Hi Hans, On Tue, Oct 18, 2022 at 02:17:32PM +0200, Hans van Kranenburg wrote: > Hi! > > On 10/12/22 19:38, Moritz Mühlenhoff wrote: > > Source: xen > > X-Debbugs-CC: t...@security.debian.org > > Severity: important > > Tags: security > > > > Hi, > > > > The following vulnerabilities were published for xen. > > > > CVE-[...] > Thanks for the overview. The XAPI one indeed does not apply to src:xen. > > I have a question, since the 'bug' report does not contain a question, > or explicit call for action, and I have not seen it in this way before. > > Does explicitly opening a BTS bug mean that, like we use to call it, > "these CVEs warrant a DSA", and that it is a request for an ASAP package > update and preparing a security update for stable, or, is this a new > thing where BTS bugs are opened for packages, just in case the > maintainer did not already track security issues themselves actively? Filling a bug or even it's severity may be completely orthogonal to the question if something warrants a DSA. In fact you will notice in the security-tracker issues triaged as no-dsa, not warranting a DSA but which could be fixed in a point release or piggy-backed as well in a later update filled as bug for tracking as well in the BTS with severity grave, indicating though that the issue should be assumed RC and be fixed in testing so that the next stable version will include a fix. Filling a bug make sure maintaines are aware of the issues. Hope this helps, Regards, Salvatore
Bug#1021668: [Pkg-xen-devel] Bug#1021668: xen: CVE-2022-33749 CVE-2022-33748 CVE-2022-33747 CVE-2022-33746
Hi! On 10/12/22 19:38, Moritz Mühlenhoff wrote: > Source: xen > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerabilities were published for xen. > > CVE-[...] Thanks for the overview. The XAPI one indeed does not apply to src:xen. I have a question, since the 'bug' report does not contain a question, or explicit call for action, and I have not seen it in this way before. Does explicitly opening a BTS bug mean that, like we use to call it, "these CVEs warrant a DSA", and that it is a request for an ASAP package update and preparing a security update for stable, or, is this a new thing where BTS bugs are opened for packages, just in case the maintainer did not already track security issues themselves actively? I'm just wondering... Thanks, Hans
