On Tue, Dec 12, 2017 at 10:03 AM, Steven Haigh <net...@crc.id.au> wrote: > On Tuesday, 12 December 2017 5:16:06 AM AEDT Xen. org security team wrote: >> Xen Security Advisory CVE-2017-15595 / XSA-240 >> version 6 >> >> Unlimited recursion in linear pagetable de-typing >> >> UPDATES IN VERSION 6 >> ==================== >> >> Yet another new patch, addressing another issue similar to the one >> addressed in v5. > > Is there any news / information on what to patch on this for releases that > already have xsa240 included such as 4.9.1 and 4.7.4?
Yes, looking through the advisory after it was sent out, I think we definitely should have provided instructions for downstreams for how to actually use the patches. As discussed previously, the entire series should look like: 1) Patch 0001 from the original advisory 2) Patches from XSA 243 3) The "checked into tree" version of xsa240/0002 4) Patch xsa240-*/0003 5) Patch xsa240-*/0004 In other words, you should be able to apply xsa240 patch 4 directly on xsa240 patch 3. Sorry again for the confusion. -George _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
