Control: retitle -1 unblock: xen/4.17.0+74-g3eac216e6e-1 On Sonntag, 2. April 2023 21:51:11 CEST Sebastian Ramacher wrote: > On 2023-03-29 23:27:11 +0200, Maximilian Engelhardt wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian.org@packages.debian.org > > Usertags: unblock > > X-Debbugs-Cc: xen@packages.debian.org, maxi@daemonizer.de, > > team@security.debian.org Control: affects -1 + src:xen > > > > Please approve an upload of xen to unstable and later unblock package > > xen. See the "Other info" section below on why this is a pre-approval > > request. > > Please go ahead > > Cheers Thanks, xen/4.17.0+74-g3eac216e6e-1 has been uploaded to unstable and already built on all architectures. > > [ Reason ] > > Xen in bookworm (and unstable) is currently affected by CVE-2022-42331, > > CVE-2022-42332, CVE-2022-42333 and CVE-2022-42334 (see #1033297). > > > > [ Impact ] > > The above mentioned CVEs are not fixed. > > > > [ Tests ] > > The Debian package is based only on upstream commits that have passed > > the upstream automated tests. > > The Debian package has been successfully tested by the xen packaging > > team on their test machines. > > > > [ Risks ] > > There could be upstream changes unrelated to the above mentioned > > security fixes that cause regressions. However upstream has an automated > > testing machinery (osstest) that only allows a commit in the upstream > > stable branch if all test pass. > > > > [ Checklist ] > > > > [x] all changes are documented in the d/changelog > > [x] I reviewed all changes and I approve them > > [x] attach debdiff against the package in testing > > > > [ Other info ] > > This security fix is based on the latest upstream stable-4.17 branch. > > The branch in general only accepts bug fixes and does not allow new > > features, so the changes there are mainly security and other bug fixes. > > This does not exactly follow the "only targeted fixes" release policy, > > so we are asking for a pre-approval. > > The package we have prepared is exactly what we would have done as a > > security update in a stable release, what we have historically done > > together with the security team and are planning to continue to do. > > As upstream does extensive automated testing on their stable branches > > chances for unnoticed regressions are low. We believe this way the risk > > for bugs is lower than trying to manually pick and adjust patches > > without all the deep knowledge that upstream has. This approach is > > similar to what the linux package is doing. > > > > unblock xen/4.17.0+74-g3eac216e6e-1 > > > > Thanks > >
Attachment:
signature.asc
Description: This is a digitally signed message part.