Re: working for wheezy-security until wheezy-lts starts

To: Brian May <bam@debian.org>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, Mike Gabriel <sunweaver@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: working for wheezy-security until wheezy-lts starts
From: Guido Günther <agx@sigxcpu.org>
Date: Sun, 13 Mar 2016 12:52:09 +0100
Message-id: <[🔎] 20160313115209.GA6851@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Brian May <bam@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, Mike Gabriel <sunweaver@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
In-reply-to: <[🔎] 87y49n9qvo.fsf@prune.linuxpenguins.xyz>
References: <20160229152546.Horde.bUTfXxHSPmDu0AWwU5x1bGj@mail.das-netzwerkteam.de> <[🔎] 20160303175559.GA22478@pisco.westfalen.local> <[🔎] 87y49n9qvo.fsf@prune.linuxpenguins.xyz>

Hi Brian,
On Sun, Mar 13, 2016 at 11:13:31AM +1100, Brian May wrote:
> Moritz Mühlenhoff <jmm@inutil.org> writes:
> 
> > 1. We're already one wheezy update behind for xen (since some of
> > the changes were invasive and complex). It would be great if
> > someone from the Freexian sponsor pool would work on a wheezy
> > update for Xen. It's probably a solid day of work, though, but
> > it will also clarify whether it's feasible to continue to support
> > in Xen in Wheezy LTS (while 4.1 being EOLed by upstream for
> > quite a while now).
> 
> So what needs to happen here? Not sure what is meant by "We're already
> one wheezy update behind for xen".
> 
> I see wheezy has version 4.1.4-3+deb7u8 - do we need to attempt to
> update this to version 4.1.6.1 - the latest 4.1.* version?

Looking at

    http://metadata.ftp-master.debian.org/changelogs/main/x/xen/xen_4.1.4-3+deb7u9_changelog

and the source package the current practice is to pull in the individual patches.

> 
> If so I imagine this would require:
> 
> - identifying which CVEs are fixed in 4.1.6.1
> - updating xen package
> - updating the kernel packages (if this is required??? Not sure if the
>   kernel code is considered part of the xen release or not anymore)

The hypervisor (dom0) is built from Xen sources:

    https://packages.debian.org/wheezy/xen-hypervisor-4.1-i386

while the PV guests use the "regular" linux kernel

    https://packages.debian.org/wheezy/xen-linux-system-3.2.0-4-amd64

so I read this that the linux kernel only needs to be updated if guest parts
are affected.

> and/or do we attempt to backport the security patches from some newer
> release?
> 
> I also note that there are a large number of unfixed vulnerabilities for
> all versions including sid.
> 
> https://security-tracker.debian.org/tracker/source-package/xen

Sid has Xen 4.6 and looking at the CVEs that affect sid the patches
don't seem to be applied so the tracker looks correct, there's plenty of
work left.

Are you going to look at the Wheezy packages?

I wonder if somebody can give some hints how current Xen updates are
being tested? Since running xen in KVM is works in some KVM/Xen
combinations but not others (and doesn't allow for HVM testing). Do we
have some test suite? If not I'd set out to build one if we want to
support this in LTS.

Cheers,
 -- Guido

Reply to:

Follow-Ups:
- Re: working for wheezy-security until wheezy-lts starts
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Brian May <bam@debian.org>

References:
- Re: working for wheezy-security until wheezy-lts starts
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Brian May <bam@debian.org>

Prev by Date: Re: working for wheezy-security until wheezy-lts starts
Next by Date: Re: tracking security issues without CVEs
Previous by thread: Re: working for wheezy-security until wheezy-lts starts
Next by thread: Re: working for wheezy-security until wheezy-lts starts
Index(es):
- Date
- Thread