Bug#1036475: unblock: xen/4.17.1+2-gb773c48e36-1

To: Maximilian Engelhardt <maxi@daemonizer.de>, 1036475@bugs.debian.org
Subject: Bug#1036475: unblock: xen/4.17.1+2-gb773c48e36-1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 23 May 2023 21:43:36 +0200
Message-id: <[🔎] ZG0XaPajf5hEyvNZ@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1036475@bugs.debian.org
In-reply-to: <[🔎] 1854042.tdWV9SEqCh@eisbaer>
References: <[🔎] 1854042.tdWV9SEqCh@eisbaer> <[🔎] 1854042.tdWV9SEqCh@eisbaer>

Dear release team,

On Sun, May 21, 2023 at 10:02:25PM +0200, Maximilian Engelhardt wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock 
> X-Debbugs-Cc: xen@packages.debian.org, team@security.debian.org, maxi@daemonizer.de
> Control: affects -1 + src:xen
> 
> Please unblock package xen.
> 
> [ Reason ]
> Xen in bookworm is currently affected by CVE-2022-42335 and
> CVE-2022-42336 (see #1034842 and #1036298).
> 
> [ Impact ]
> The above mentioned CVEs are not fixed in bookworm.
> 
> [ Tests ]
> The Debian package is based only on upstream commits that have passed
> the upstream automated tests.
> The Debian package has been successfully tested by the xen packaging
> team on their test machines.
> 
> [ Risks ]
> There could be upstream changes unrelated to the above mentioned
> security fixes that cause regressions. However upstream has an automated
> testing machinery (osstest) that only allows a commit in the upstream
> stable branch if all test pass.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> [ Other info ]
> This security fix is based on the latest upstream stable-4.17 branch.
> The branch in general only accepts bug fixes and does not allow new
> features, so the changes there are mainly security and other bug fixes.
> This does not strictly follow the "only targeted fixes" release policy,
> but, as explained below, we believe it is still appropriate for an
> unblock request.
> The package we have uploaded to unstable is exactly what we would have
> done as a security update in a stable release, what we have historically
> done together with the security team and are planning to continue to do.
> As upstream does extensive automated testing on their stable branches
> chances for unnoticed regressions are low. We believe this way the risk
> for bugs is lower than trying to manually pick and adjust patches
> without all the deep knowledge that upstream has. This approach is
> similar to what the linux package is doing.

I can confirm that this is indeed the strategy for src:xen we would
follow, like for bullseye already, as well in bookworm.

Regards,
Salvatore

Reply to:

References:
- Bug#1036475: unblock: xen/4.17.1+2-gb773c48e36-1
  - From: Maximilian Engelhardt <maxi@daemonizer.de>

Prev by Date: Bug#1035522: debian-security-support 11+2023.05.04 flagged for acceptance
Next by Date: Bug#1036548: marked as done (unblock: cups-filters/1.28.17-3)
Previous by thread: Processed: unblock: xen/4.17.1+2-gb773c48e36-1
Next by thread: Bug#1036475: marked as done (unblock: xen/4.17.1+2-gb773c48e36-1)
Index(es):
- Date
- Thread