Re: xen_4.1.6.1-1+deb7u2.dsc

To: Bastian Blank <waldi@debian.org>
Cc: Brian May <bam@debian.org>, debian-lts@lists.debian.org
Subject: Re: xen_4.1.6.1-1+deb7u2.dsc
From: Guido Günther <agx@sigxcpu.org>
Date: Sat, 30 Jul 2016 16:15:51 +0200
Message-id: <[🔎] 20160730141551.GA23010@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Bastian Blank <waldi@debian.org>, Brian May <bam@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 20160729112622.GA5508@shell.thinkmo.de>
References: <[🔎] 20160715125900.GB31737@shell.thinkmo.de> <[🔎] 20160721102737.GA15428@shell.thinkmo.de> <[🔎] 87vazyndsh.fsf@prune.linuxpenguins.xyz> <[🔎] 20160725110350.GC26093@shell.thinkmo.de> <[🔎] 87poq0g5a9.fsf@prune.linuxpenguins.xyz> <[🔎] 20160728082622.GA2447@shell.thinkmo.de> <[🔎] 20160729094816.GA4744@bogon.m.sigxcpu.org> <[🔎] 20160729101549.GB5272@shell.thinkmo.de> <[🔎] 20160729111333.GA22895@bogon.m.sigxcpu.org> <[🔎] 20160729112622.GA5508@shell.thinkmo.de>

On Fri, Jul 29, 2016 at 01:26:22PM +0200, Bastian Blank wrote:
> Hi Guido
> 
> On Fri, Jul 29, 2016 at 01:13:33PM +0200, Guido Günther wrote:
> > * the complete removal of tools/ioemu-qemu-xen - guess this was unused
> >   anyway since quiet some time, right?
> 
> I have no idea and found not one reference to that folder.
> 
> > * there are some XSA related patches in debian/patches. Will these move
> >   into
> >       https://github.com/credativ/xen-lts/
> >   eventually?
> 
> I think I forgot to delete some.  The rest most likely won't as it is
> either qemu or libxl.
> 
> > If Brian has no objections feel free to upload, Please let me know once
> > done so I can then release the DLA (in case you don't want to handle it
> > youself).
> 
> I have no idea how to do that yet.  So feel free.

Thanks for uploading! I've put out the DSA and marked XSA-166 as fixed
in the tracker (since it has no CVE assigned). The tracker lists these

CVE-2016-5403	virtio: unbounded memory allocation on host via guest leading to DoS
CVE-2016-5242	The p2m_teardown function in arch/arm/p2m.c in Xen 4.4.x through 4.6.x ...
CVE-2016-4963	The libxl device-handling in Xen through 4.6.x allows local guest OS ...
CVE-2016-4962   The libxl device-handling in Xen 4.6.x and earlier allows local OS ...

as affecting Wheezy. I've marked CVE-2016-5242 as not-affected since we
don't have ARM xen in wheezy. What about the other ones?

Cheers,
 -- Guido

Reply to:

References:
- Re: xen_4.1.6.1-1+deb7u2.dsc
  - From: Bastian Blank <waldi@debian.org>
- Re: xen_4.1.6.1-1+deb7u2.dsc
  - From: Bastian Blank <waldi@debian.org>
- Re: xen_4.1.6.1-1+deb7u2.dsc
  - From: Brian May <bam@debian.org>
- Re: xen_4.1.6.1-1+deb7u2.dsc
  - From: Bastian Blank <waldi@debian.org>
- Re: xen_4.1.6.1-1+deb7u2.dsc
  - From: Brian May <bam@debian.org>
- Re: xen_4.1.6.1-1+deb7u2.dsc
  - From: Bastian Blank <waldi@debian.org>
- Re: xen_4.1.6.1-1+deb7u2.dsc
  - From: Guido Günther <agx@sigxcpu.org>
- Re: xen_4.1.6.1-1+deb7u2.dsc
  - From: Bastian Blank <waldi@debian.org>
- Re: xen_4.1.6.1-1+deb7u2.dsc
  - From: Guido Günther <agx@sigxcpu.org>
- Re: xen_4.1.6.1-1+deb7u2.dsc
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: Re: Wheezy update of twisted?
Next by Date: Re: Wheezy update of libreoffice?
Previous by thread: Re: xen_4.1.6.1-1+deb7u2.dsc
Next by thread: Re: xen_4.1.6.1-1+deb7u2.dsc
Index(es):
- Date
- Thread