Re: Xen 4.4 updates - request for feedback
On 2018-10-23 14:03:37, Peter Dreuw wrote:
> Hello, everyone,
>
> I prepared another set of fixes based on the current Xen package on jessie-security (4.4.4lts2-0+deb8u1, DLA-1549).
>
> These fixes include
>
> CVE-2017-15595 / xsa 240
> CVE-2017-15593 / xsa 242
> CVE-2017-15592 / xsa 243
> CVE-2017-16693 / xsa 244
> CVE-2017-17044 / xsa 246
> CVE-2017-17045 / xsa 247
> CVE-2018-10472 / xsa 258
> CVE-2018-10981 / xsa 262
>
> The testing packages are available here:
>
> https://share.credativ.com/~pdr/xen-test/
I'll be reviewing those diffs shortly, thanks!
> These testing packages are auto generated by our new build system, so the package name is somewhat cryptic as it reflects the date and time of build as well as parts of the git hash it is based on.
>
> You can find the repository here: https://github.com/credativ/xen-lts
>
> dpkg might tell you about a potential downgrade, but you can ignore this for testing purposes safely. I expect them to be working but I would appreciate some feedback on this version before passing them to the public repository.
Did you do any kind of smoke testing or is that something that could be
useful per se?
I always find it tricky to test Xen packages because, well... In what
environment do you test it? Qemu? Xen? Virtualbox? :)
> I will head on to the next issues to fix.
I'm curious: what is your take on XSA-254 and the Meltdown/Spectre
issues in Xen? Are those fixable?
Should we consider encouraging people to switch to other virtualization
solutions in LTS/jessie considering the difficulty of mitigation in Xen
environments?
Thanks,
A.
--
The idea that Bill Gates has appeared like a knight in shining armour to
lead all customers out of a mire of technological chaos neatly ignores
the fact that it was he who, by peddling second-rate technology, led
them into it in the first place. - Douglas Adams (1952-2001)
Reply to: