[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Xen security updates on Wheezy

Antoine Beaupré <anarcat@orangeseeds.org> writes:

> They seem to hold, although I have yet to test them in production. One
> thing I noticed is that they don't seem to fix CVE-2015-8104 and
> CVE-2015-5307, ie. that the patches you posted in
> <[🔎] 87d1qvvzhi.fsf@prune.linuxpenguins.xyz> were not factored into the
> package. That would seem to be important (and maybe we could push those
> back towards the Ubuntu folks as well).

That is correct, I had two patches previously that I did not incooporate

-rw------- 1 brian brian 5277 Mar 26 16:26 CVE-2015-2752.diff
-rw------- 1 brian brian 4666 Mar 26 16:26 CVE-2015-8104+CVE-2015-5307.patch

I believe CVE-2015-2752.diff is already patched in the Ubuntu version,
so we don't need to worry it.

Curiously the Ubuntu version declares it has fixed CVE-2015-5307 but not
CVE-2015-8104 - so it is possible this means the above patch will not
apply cleanly.

Then there are just these three CVEs unaccounted for (and possibly don't

            - CVE-2014-5146 (marked No DSA)
            - CVE-2014-5149 (marked No DSA)
            - CVE-2014-8341 (marked No DSA)

> Brian: should I go ahead and build that myself or do you want to
> followup on Xen yourself?

I won't be able to look again at this until next week. So sure, go

If you haven't looked at it by then, I will have a look again.
Brian May <bam@debian.org>

Reply to: