Re: Xen 4.4 updates - request for feedback

To: debian-lts@lists.debian.org
Subject: Re: Xen 4.4 updates - request for feedback
From: Peter Dreuw <peter.dreuw@credativ.de>
Date: Wed, 24 Oct 2018 19:33:45 +0200
Message-id: <[🔎] 639da1d8-18c0-977f-400b-c2be9de9629d@credativ.de>
In-reply-to: <[🔎] 87a7n3qser.fsf@curie.anarc.at>
References: <[🔎] 1664883812.80.1540296218081@ox.credativ.com> <[🔎] 87a7n3qser.fsf@curie.anarc.at>

Am 24.10.18 um 17:24 schrieb Antoine Beaupré:
> On 2018-10-23 14:03:37, Peter Dreuw wrote:
>> Hello, everyone, 
>>
>> I prepared another set of fixes based on the current Xen package on jessie-security (4.4.4lts2-0+deb8u1, DLA-1549).
>>
>> These fixes include 
>>
>> CVE-2017-15595 / xsa 240 
>> CVE-2017-15593 / xsa 242 
>> CVE-2017-15592 / xsa 243 
>> CVE-2017-16693 / xsa 244 
>> CVE-2017-17044 / xsa 246 
>> CVE-2017-17045 / xsa 247 
>> CVE-2018-10472 / xsa 258 
>> CVE-2018-10981 / xsa 262
>>
>> The testing packages are available here: 
>>
>> https://share.credativ.com/~pdr/xen-test/ 
> I'll be reviewing those diffs shortly, thanks!
Thank you very much.
>> These testing packages are auto generated by our new build system, so the package name is somewhat cryptic as it reflects the date and time of build as well as parts of the git hash it is based on. 
>>
>> You can find the repository here: https://github.com/credativ/xen-lts 
>>
>> dpkg might tell you about a potential downgrade, but you can ignore this for testing purposes safely. I expect them to be working but I would appreciate some feedback on this version before passing them to the public repository. 
> Did you do any kind of smoke testing or is that something that could be
> useful per se?
>
> I always find it tricky to test Xen packages because, well... In what
> environment do you test it? Qemu? Xen? Virtualbox? :)

I am testing the x86 packages on real hardware and virtual box. But of
course, my hardware spectrum available for this is not to broad. In
general, I make shure that my packages work for me before I would
release them in any way ;)  I'm working on integration of Xen fixes into
old versions for a while, now. I already did this on the Xen 4.1 in
Wheezy, fyi.

The arm packages - which are currently not included in my request for
feedback - are tested on Qemu only. But the arm-only bugs/fixes are
mostly easy to done as the upstream patches apply and upstream does a
great amount of testing. So I consider the work already done not harmful
to the arm systems right now - at least if the x86 tests don't fail ;)

>> I will head on to the next issues to fix. 
> I'm curious: what is your take on XSA-254 and the Meltdown/Spectre
> issues in Xen? Are those fixable?

I am not sure if this can be done with Xen 4.4 - at least not to a level
of a 100% solution. Looking into the upstream code for e.g. 4.6 there
are many changes that would need to be considered. I am thinking of
this, currently, yes. The same goes to

XSA 263 / CVE-2018-3639

XSA 267 / CVE-2018-3665

XSA 273 / CVE-2018-3620,CVE-2018-3646

The upstream fixes for these XSA rely on the XSA 254 work already done. 
So getting xsa 263/267/273 fixed would need to adapt much of the work
done for xsa 254.

> Should we consider encouraging people to switch to other virtualization
> solutions in LTS/jessie considering the difficulty of mitigation in Xen
> environments?
>
> Thanks,
>
> A.

Hum, this looks like a need for a political answer ;) I honestly don't
know if the difficulty level of mitigation in other old virtualization
solutions is really lower.

An alternative might be offering a version of a more recent Xen package.
AFAIK there is a Xen 4.9 package in Jessie backports already, but this
is not too fresh, I think. I know, LTS users might not like the idea of
shifting to new versions but the spectre/meltdown issue is a class of
its own when it comes to solutions. 

Cheers

Peter

-- 
Peter Dreuw
Teamleiter
Tel.:  +49 2166 9901-155
Fax:   +49 2166 9901-100
E-Mail: Peter.Dreuw@credativ.de

gpg fingerprint: 33B0 82D3 D103 B594 E7D3  53C7 FBB6 3BD0 DB32 ED41
http://www.credativ.de/

**********************************************
Jetzt neu: 
Elephant Shed - PostgreSQL Appliance
PostgreSQL und alles was dazugehört

Von Backup über Monitoring bis Reporting: 
https://elephant-shed.io/index.de.html
**********************************************

credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Trompeterallee 108, 41189 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer

Unser Umgang mit personenbezogenen Daten unterliegt
folgenden Bestimmungen: https://www.credativ.de/datenschutz

begin:vcard
fn:Peter Dreuw
n:Dreuw;Peter
org:credativ GmbH;Team Support
adr;quoted-printable:;;Trompeter Allee 108;M=C3=B6nchengladbach;Nordrhein-Westfalen;41189;Deutschland
email;internet:peter.dreuw@credativ.de
title:Teamleiter
tel;work:+4921669901155
tel;fax:+4921669901100
note;quoted-printable:gpg fingerprint: 33B0 82D3 D103 B594 E7D3  53C7 FBB6 3BD0 DB32 ED41=0D=0A=
	=0D=0A=
	credativ GmbH, HRB M=C3=B6nchengladbach 12080=0D=0A=
	USt-ID-Nummer: DE204566209=0D=0A=
	Gesch=C3=A4ftsf=C3=BChrung: Dr. Michael Meskes, J=C3=B6rg Folz, SaschaHeu=
	er
url:www.credativ.de
version:2.1
end:vcard

Reply to:

Follow-Ups:
- Re: Xen 4.4 updates - request for feedback
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

References:
- Xen 4.4 updates - request for feedback
  - From: Peter Dreuw <peter.dreuw@credativ.de>
- Re: Xen 4.4 updates - request for feedback
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: Xen 4.4 updates - request for feedback
Next by Date: Re: Xen 4.4 updates - request for feedback
Previous by thread: Re: Xen 4.4 updates - request for feedback
Next by thread: Re: Xen 4.4 updates - request for feedback
Index(es):
- Date
- Thread