Bug#1036475: unblock: xen/4.17.1+2-gb773c48e36-1
Dear release team,
On Sun, May 21, 2023 at 10:02:25PM +0200, Maximilian Engelhardt wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: xen@packages.debian.org, team@security.debian.org, maxi@daemonizer.de
> Control: affects -1 + src:xen
>
> Please unblock package xen.
>
> [ Reason ]
> Xen in bookworm is currently affected by CVE-2022-42335 and
> CVE-2022-42336 (see #1034842 and #1036298).
>
> [ Impact ]
> The above mentioned CVEs are not fixed in bookworm.
>
> [ Tests ]
> The Debian package is based only on upstream commits that have passed
> the upstream automated tests.
> The Debian package has been successfully tested by the xen packaging
> team on their test machines.
>
> [ Risks ]
> There could be upstream changes unrelated to the above mentioned
> security fixes that cause regressions. However upstream has an automated
> testing machinery (osstest) that only allows a commit in the upstream
> stable branch if all test pass.
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> [ Other info ]
> This security fix is based on the latest upstream stable-4.17 branch.
> The branch in general only accepts bug fixes and does not allow new
> features, so the changes there are mainly security and other bug fixes.
> This does not strictly follow the "only targeted fixes" release policy,
> but, as explained below, we believe it is still appropriate for an
> unblock request.
> The package we have uploaded to unstable is exactly what we would have
> done as a security update in a stable release, what we have historically
> done together with the security team and are planning to continue to do.
> As upstream does extensive automated testing on their stable branches
> chances for unnoticed regressions are low. We believe this way the risk
> for bugs is lower than trying to manually pick and adjust patches
> without all the deep knowledge that upstream has. This approach is
> similar to what the linux package is doing.
I can confirm that this is indeed the strategy for src:xen we would
follow, like for bullseye already, as well in bookworm.
Regards,
Salvatore
Reply to: