Re: Xen security updates on Wheezy
Antoine Beaupré <firstname.lastname@example.org> writes:
> They seem to hold, although I have yet to test them in production. One
> thing I noticed is that they don't seem to fix CVE-2015-8104 and
> CVE-2015-5307, ie. that the patches you posted in
> <[🔎] email@example.com> were not factored into the
> package. That would seem to be important (and maybe we could push those
> back towards the Ubuntu folks as well).
That is correct, I had two patches previously that I did not incooporate
-rw------- 1 brian brian 5277 Mar 26 16:26 CVE-2015-2752.diff
-rw------- 1 brian brian 4666 Mar 26 16:26 CVE-2015-8104+CVE-2015-5307.patch
I believe CVE-2015-2752.diff is already patched in the Ubuntu version,
so we don't need to worry it.
Curiously the Ubuntu version declares it has fixed CVE-2015-5307 but not
CVE-2015-8104 - so it is possible this means the above patch will not
Then there are just these three CVEs unaccounted for (and possibly don't
- CVE-2014-5146 (marked No DSA)
- CVE-2014-5149 (marked No DSA)
- CVE-2014-8341 (marked No DSA)
> Brian: should I go ahead and build that myself or do you want to
> followup on Xen yourself?
I won't be able to look again at this until next week. So sure, go
If you haven't looked at it by then, I will have a look again.
Brian May <firstname.lastname@example.org>