Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214
Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > On Thu, May 04, 2017 at 06:19:07PM +0100, Ian Jackson wrote: > > I need to check the armhf build, since there are conflicts there. I > > don't think I can conveniently test the armhf version. > > You mean CVE-2016-9815-CVE-2016-9818? We can simply leave them > unfixed/ignored I guess, it's not that there's any arm-based cloud > hosting companies running jessie on arm :-) No. I mean XSA-213, which doesn't have a CVE because MITRE :-/. Ian.
Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214
On Thu, May 04, 2017 at 06:19:07PM +0100, Ian Jackson wrote: > Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, > XSA-213, XSA-214"): > > On Thu, May 04, 2017 at 05:59:18PM +0100, Ian Jackson wrote: > > > Should I put jessie-security in the debian/changelog and dgit push it > > > (ie, from many people's pov, dput it) ? > > > > Yes, the distribution line should be jessie-security, but please send > > a debdiff to t...@security.debian.org for a quick review before > > uploading (I have no idea whether dgit supports security-master). > > I'll send you a debdiff, thanks. I guess I'll find out whether dgit > does work or not. > > I need to check the armhf build, since there are conflicts there. I > don't think I can conveniently test the armhf version. You mean CVE-2016-9815-CVE-2016-9818? We can simply leave them unfixed/ignored I guess, it's not that there's any arm-based cloud hosting companies running jessie on arm :-) Cheers, Moritz
Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214
Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > On Thu, May 04, 2017 at 05:59:18PM +0100, Ian Jackson wrote: > > Should I put jessie-security in the debian/changelog and dgit push it > > (ie, from many people's pov, dput it) ? > > Yes, the distribution line should be jessie-security, but please send > a debdiff to t...@security.debian.org for a quick review before > uploading (I have no idea whether dgit supports security-master). I'll send you a debdiff, thanks. I guess I'll find out whether dgit does work or not. I need to check the armhf build, since there are conflicts there. I don't think I can conveniently test the armhf version. Ian.
Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214
On Thu, May 04, 2017 at 05:59:18PM +0100, Ian Jackson wrote: > Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, > XSA-213, XSA-214"): > > On Thu, May 04, 2017 at 05:06:07PM +0100, Ian Jackson wrote: > > > I have fixed these in stretch but the jessie package remains unfixed. > > > I think I may be able to find some backports somewhere. Would that be > > > useful ? Is anyone else working on this ? > > > > Yes, please! > > Working on it now. What shall I do with my resulting package ? > > Should I put jessie-security in the debian/changelog and dgit push it > (ie, from many people's pov, dput it) ? Yes, the distribution line should be jessie-security, but please send a debdiff to t...@security.debian.org for a quick review before uploading (I have no idea whether dgit supports security-master). Cheers, Moritz
Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214
Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > On Thu, May 04, 2017 at 05:06:07PM +0100, Ian Jackson wrote: > > I have fixed these in stretch but the jessie package remains unfixed. > > I think I may be able to find some backports somewhere. Would that be > > useful ? Is anyone else working on this ? > > Yes, please! Working on it now. What shall I do with my resulting package ? Should I put jessie-security in the debian/changelog and dgit push it (ie, from many people's pov, dput it) ? Ian.
Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214
On Thu, May 04, 2017 at 05:06:07PM +0100, Ian Jackson wrote: > Ian Jackson writes ("64bit PV guest breakout [XSA-213]"): > > Source: xen > > Version: 4.4.1-9 > > Severity: important > > Tags: security upstream fixed-upstream > > > > See > > https://xenbits.xen.org/xsa/advisory-213.html > > Ian Jackson writes ("grant transfer allows PV guest to elevate privileges > [XSA-214]"): > > Source: xen > > Version: 4.4.1-9 > > Severity: important > > Tags: security upstream fixed-upstream > > > > See > > https://xenbits.xen.org/xsa/advisory-214.html > > I have fixed these in stretch but the jessie package remains unfixed. > I think I may be able to find some backports somewhere. Would that be > useful ? Is anyone else working on this ? Yes, please! Cheers, Moritz
Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214
Ian Jackson writes ("64bit PV guest breakout [XSA-213]"): > Source: xen > Version: 4.4.1-9 > Severity: important > Tags: security upstream fixed-upstream > > See > https://xenbits.xen.org/xsa/advisory-213.html Ian Jackson writes ("grant transfer allows PV guest to elevate privileges [XSA-214]"): > Source: xen > Version: 4.4.1-9 > Severity: important > Tags: security upstream fixed-upstream > > See > https://xenbits.xen.org/xsa/advisory-214.html I have fixed these in stretch but the jessie package remains unfixed. I think I may be able to find some backports somewhere. Would that be useful ? Is anyone else working on this ? Ian.