Re: Xen security updates on Wheezy
Antoine Beaupré <anarcat@orangeseeds.org> writes:
> They seem to hold, although I have yet to test them in production. One
> thing I noticed is that they don't seem to fix CVE-2015-8104 and
> CVE-2015-5307, ie. that the patches you posted in
> <[🔎] 87d1qvvzhi.fsf@prune.linuxpenguins.xyz> were not factored into the
> package. That would seem to be important (and maybe we could push those
> back towards the Ubuntu folks as well).
That is correct, I had two patches previously that I did not incooporate
yet:
-rw------- 1 brian brian 5277 Mar 26 16:26 CVE-2015-2752.diff
-rw------- 1 brian brian 4666 Mar 26 16:26 CVE-2015-8104+CVE-2015-5307.patch
I believe CVE-2015-2752.diff is already patched in the Ubuntu version,
so we don't need to worry it.
Curiously the Ubuntu version declares it has fixed CVE-2015-5307 but not
CVE-2015-8104 - so it is possible this means the above patch will not
apply cleanly.
Then there are just these three CVEs unaccounted for (and possibly don't
matter):
- CVE-2014-5146 (marked No DSA)
- CVE-2014-5149 (marked No DSA)
- CVE-2014-8341 (marked No DSA)
> Brian: should I go ahead and build that myself or do you want to
> followup on Xen yourself?
I won't be able to look again at this until next week. So sure, go
ahead.
If you haven't looked at it by then, I will have a look again.
--
Brian May <bam@debian.org>
Reply to: