Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214
Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4,
XSA-213, XSA-214"):
> On Thu, May 04, 2017 at 06:19:07PM +0100, Ian Jackson wrote:
> > I need to check the armhf build, since there are conflicts there. I
> > don't think I can conveniently test the armhf version.
>
> You mean CVE-2016-9815-CVE-2016-9818? We can simply leave them
> unfixed/ignored I guess, it's not that there's any arm-based cloud
> hosting companies running jessie on arm :-)
No. I mean XSA-213, which doesn't have a CVE because MITRE :-/.
Ian.
Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214
On Thu, May 04, 2017 at 06:19:07PM +0100, Ian Jackson wrote:
> Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4,
> XSA-213, XSA-214"):
> > On Thu, May 04, 2017 at 05:59:18PM +0100, Ian Jackson wrote:
> > > Should I put jessie-security in the debian/changelog and dgit push it
> > > (ie, from many people's pov, dput it) ?
> >
> > Yes, the distribution line should be jessie-security, but please send
> > a debdiff to t...@security.debian.org for a quick review before
> > uploading (I have no idea whether dgit supports security-master).
>
> I'll send you a debdiff, thanks. I guess I'll find out whether dgit
> does work or not.
>
> I need to check the armhf build, since there are conflicts there. I
> don't think I can conveniently test the armhf version.
You mean CVE-2016-9815-CVE-2016-9818? We can simply leave them unfixed/ignored
I guess, it's not that there's any arm-based cloud hosting companies
running jessie on arm :-)
Cheers,
Moritz
Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214
Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4,
XSA-213, XSA-214"):
> On Thu, May 04, 2017 at 05:59:18PM +0100, Ian Jackson wrote:
> > Should I put jessie-security in the debian/changelog and dgit push it
> > (ie, from many people's pov, dput it) ?
>
> Yes, the distribution line should be jessie-security, but please send
> a debdiff to t...@security.debian.org for a quick review before
> uploading (I have no idea whether dgit supports security-master).
I'll send you a debdiff, thanks. I guess I'll find out whether dgit
does work or not.
I need to check the armhf build, since there are conflicts there. I
don't think I can conveniently test the armhf version.
Ian.
Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214
On Thu, May 04, 2017 at 05:59:18PM +0100, Ian Jackson wrote:
> Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4,
> XSA-213, XSA-214"):
> > On Thu, May 04, 2017 at 05:06:07PM +0100, Ian Jackson wrote:
> > > I have fixed these in stretch but the jessie package remains unfixed.
> > > I think I may be able to find some backports somewhere. Would that be
> > > useful ? Is anyone else working on this ?
> >
> > Yes, please!
>
> Working on it now. What shall I do with my resulting package ?
>
> Should I put jessie-security in the debian/changelog and dgit push it
> (ie, from many people's pov, dput it) ?
Yes, the distribution line should be jessie-security, but please send
a debdiff to t...@security.debian.org for a quick review before
uploading (I have no idea whether dgit supports security-master).
Cheers,
Moritz
Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214
Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4,
XSA-213, XSA-214"):
> On Thu, May 04, 2017 at 05:06:07PM +0100, Ian Jackson wrote:
> > I have fixed these in stretch but the jessie package remains unfixed.
> > I think I may be able to find some backports somewhere. Would that be
> > useful ? Is anyone else working on this ?
>
> Yes, please!
Working on it now. What shall I do with my resulting package ?
Should I put jessie-security in the debian/changelog and dgit push it
(ie, from many people's pov, dput it) ?
Ian.
Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214
On Thu, May 04, 2017 at 05:06:07PM +0100, Ian Jackson wrote:
> Ian Jackson writes ("64bit PV guest breakout [XSA-213]"):
> > Source: xen
> > Version: 4.4.1-9
> > Severity: important
> > Tags: security upstream fixed-upstream
> >
> > See
> > https://xenbits.xen.org/xsa/advisory-213.html
>
> Ian Jackson writes ("grant transfer allows PV guest to elevate privileges
> [XSA-214]"):
> > Source: xen
> > Version: 4.4.1-9
> > Severity: important
> > Tags: security upstream fixed-upstream
> >
> > See
> > https://xenbits.xen.org/xsa/advisory-214.html
>
> I have fixed these in stretch but the jessie package remains unfixed.
> I think I may be able to find some backports somewhere. Would that be
> useful ? Is anyone else working on this ?
Yes, please!
Cheers,
Moritz
Bug#861659: Xen package security updates for jessie 4.4, XSA-213, XSA-214
Ian Jackson writes ("64bit PV guest breakout [XSA-213]"):
> Source: xen
> Version: 4.4.1-9
> Severity: important
> Tags: security upstream fixed-upstream
>
> See
> https://xenbits.xen.org/xsa/advisory-213.html
Ian Jackson writes ("grant transfer allows PV guest to elevate privileges
[XSA-214]"):
> Source: xen
> Version: 4.4.1-9
> Severity: important
> Tags: security upstream fixed-upstream
>
> See
> https://xenbits.xen.org/xsa/advisory-214.html
I have fixed these in stretch but the jessie package remains unfixed.
I think I may be able to find some backports somewhere. Would that be
useful ? Is anyone else working on this ?
Ian.
