Re: working for wheezy-security until wheezy-lts starts
Moritz Muehlenhoff writes: > It was pointed out on IRC that Ubuntu precise has a Xen 4.1 package, so > you might want to compare fixes with their package. Thanks for this. I will check this out later when I have more time. Just a very quick glance for now: Debian wheezy has 4.1.4, Ubuntu precise has 4.1.6; no idea if this matters. Am speculating that 4.1.6 might have security updates. So one possible strategy might be to take Ubuntu's package as is and port it to Debian wheezy. Wonder how many of the CVEs the Ubuntu version fixes. -- Brian May
Re: working for wheezy-security until wheezy-lts starts
On Wed, Mar 16, 2016 at 02:27:15PM +1100, Brian May wrote: > Guido Günther writes:> > > > Sid has Xen 4.6 and looking at the CVEs that affect sid the patches > > don't seem to be applied so the tracker looks correct, there's plenty of > > work left. > > > > Are you going to look at the Wheezy packages? > > Looking now. It was pointed out on IRC that Ubuntu precise has a Xen 4.1 package, so you might want to compare fixes with their package. Cheers, Moritz
Re: working for wheezy-security until wheezy-lts starts
On Wed, Mar 16, 2016 at 02:27:15PM +1100, Brian May wrote: > Guido Günther writes:> > > > Sid has Xen 4.6 and looking at the CVEs that affect sid the patches > > don't seem to be applied so the tracker looks correct, there's plenty of > > work left. > > > > Are you going to look at the Wheezy packages? > > Looking now. > > Just looking at CVE-2015-2756 - this appears to be a vulnerability in > qemu - not xen - and squeeze and wheezy are not affected. > > https://security-tracker.debian.org/tracker/CVE-2015-2756 The patches provided with the xsa seem to apply to the embedded qemu copy of xen 4.1.4 but I did not check if a HVM guest can exploit this. Cheers, -- Guido