Comment 1 Alexey Shvetsov 2011-09-18 12:15:07 UTC

Fixed in cvs

Comment 2 Alexey Shvetsov 2011-09-18 12:16:16 UTC

Its fixed in xen-4.1.1-r2

Comment 3 Agostino Sarubbo 2011-09-18 12:48:23 UTC

Thanks Alexey.

The vulnerability _seems_ affect only 4.x version, so in tree the stable version is 3.x

You want to stabilize 4.1.1-r2 equally?

Comment 4 Alex Legler (RETIRED) 2011-09-18 12:59:31 UTC

(In reply to comment #3)
> Thanks Alexey.
> 
> The vulnerability _seems_ affect only 4.x version, so in tree the stable
> version is 3.x
> 

Based on what?
Reading the 3.x code, it very much looks affected to me.
Also, SUSE has issued and update for this issue in xen-3:
http://support.novell.com/security/cve/CVE-2011-3131.html

> You want to stabilize 4.1.1-r2 equally?

We're not going to do a major version bump for fixing a security issue.
We'll either need proof that this issue does not affect xen-3 (which I doubt), or a revbumped xen-3 package.

Comment 5 Agostino Sarubbo 2011-09-18 13:06:10 UTC

(In reply to comment #4)
> Based on what?

Secunia advisory says it, but I've not checked manually, is the reason because I sayd "_seems_"

Comment 6 Ian Delaney (RETIRED) 2011-09-20 07:26:39 UTC

sorted with substantial co-operation from a number of the faithful.
Fixes for xen-3 and xen-4 are done, the former not yet in the tree.
Watch this space..

Comment 7 Ian Delaney (RETIRED) 2011-09-20 15:31:15 UTC

The fixes are in the tree

Comment 8 Ian Delaney (RETIRED) 2011-09-21 08:20:04 UTC

Arches, please test & mark stable;

app-emulation/xen-4.1.1-r2,
app-emulation/xen-tools-4.1.1-r5,
app-emulation/xen-pvgrub-4.1.1-r1

target keywords "AMD64 X86".

Comment 9 Agostino Sarubbo 2011-09-21 09:29:10 UTC

(In reply to comment #8)
> Arches, please test & mark stable;
> 
> app-emulation/xen-4.1.1-r2,
> app-emulation/xen-tools-4.1.1-r5,
> app-emulation/xen-pvgrub-4.1.1-r1
> 
> target keywords "AMD64 X86".

We will wait for fixed version of xen-3

Comment 10 Ian Delaney (RETIRED) 2011-09-21 17:24:56 UTC

fixed version of xen-3 is in the tree

Comment 11 Ian Delaney (RETIRED) 2011-09-21 18:22:05 UTC

Arches, please test & mark stable; update to xen-3 ONLY (exclude xen-4)

app-emulation/xen-3.4.2-r2,
app-emulation/xen-tools 3.4.2-r1

Comment 12 Ian Delaney (RETIRED) 2011-09-21 21:41:55 UTC

re-patched the patch for the 1st step xen-tools.  Needed two adjustments.
Have re-tested.
archtester xen-tools # ebuild xen-tools-3.4.2-r1.ebuild compile
.......................................................
archtester xen-tools # >>> Source compiled.
Please re-try

Comment 13 Ian Delaney (RETIRED) 2011-09-22 08:34:10 UTC

It appears the xen-tools has an issue with the recently stabled gcc-4.5.3-r1

Comment 14 Ian Delaney (RETIRED) 2011-09-23 14:47:45 UTC

33977 fixed;

app-emulation/xen-3.4.2-r2,
app-emulation/xen-tools 3.4.2-r2

Comment 15 Tony Vroon (RETIRED) 2011-09-24 20:55:20 UTC

Arches please target:
app-emulation/xen-3.4.2-r2
app-emulation/xen-tools 3.4.2-r3

Comment 16 Paweł Hajdan, Jr. (RETIRED) 2011-09-25 02:49:02 UTC

(In reply to comment #15)
> Arches please target:
> app-emulation/xen-3.4.2-r2
> app-emulation/xen-tools 3.4.2-r3

More recent versions have been stabilized in bug #360621 . How do we proceed?

Comment 17 Tony Vroon (RETIRED) 2011-09-25 09:32:06 UTC

(In reply to comment #16)
> More recent versions have been stabilized in bug #360621 . How do we proceed?

Stabilise the requested versions in addition to the 4.x versions, then remove yourself from CC.

Comment 18 Tony Vroon (RETIRED) 2011-09-25 11:41:37 UTC

Arches please target:
app-emulation/xen-3.4.2-r3
app-emulation/xen-tools 3.4.2-r3

Comment 19 Agostino Sarubbo 2011-09-25 13:07:20 UTC

Sorry @all for the extra mailspam.

I'd recommend to remove /.config before tests =)


amd64 ok, the other issues are not a blockers.

Comment 20 Ian Delaney (RETIRED) 2011-09-25 13:32:18 UTC

ok,
on syncing to current tree versions;

archtester ~ # ls -ld /.config/
ls: cannot access /.config/: No such file or directory

emerge =app-emulation/xen-tools-3.4.2-r3
>>> Emerging (1 of 1) app-emulation/xen-tools-3.4.2-r3
>>> Installing (1 of 1) app-emulation/xen-tools-3.4.2-r3

archtester ~ # emerge =app-emulation/xen-3.4.2-r3
>>> Emerging (3 of 3) app-emulation/xen-3.4.2-r3
>>> Installing (3 of 3) app-emulation/xen-3.4.2-r3

Comment 21 Tony Vroon (RETIRED) 2011-09-25 13:41:16 UTC

+  25 Sep 2011; Tony Vroon <chainsaw@gentoo.org> xen-3.4.2-r3.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #379241.

+  25 Sep 2011; Tony Vroon <chainsaw@gentoo.org> xen-tools-3.4.2-r3.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #379241.

X86 please proceed; the -r3s are GCC 4.5/4.6 capable.

Comment 22 Thomas Kahle (RETIRED) 2011-09-29 14:20:04 UTC

(In reply to comment #21)
> X86 please proceed; the -r3s are GCC 4.5/4.6 capable.

x86 stable, BUT:

xen-tools-3.4.2-r3 has a missing dependency with USE="doc":
[...]
(/usr/share/texmf-dist/tex/latex/base/ifthen.sty)

! LaTeX Error: File `xcolor.sty' not found.

Type X to quit or <RETURN> to proceed,
or enter new name. (Default extension: sty)

Enter file name: 
! Emergency stop.
<read *> 
         
l.10 \usepackage
                {textcomp}^^M
!  ==> Fatal error occurred, no output PDF file produced!

Comment 23 Agostino Sarubbo 2011-09-29 14:26:17 UTC

(In reply to comment #22)
> x86 stable, BUT:
> 
> xen-tools-3.4.2-r3 has a missing dependency with USE="doc":

It was already filed and is not a regression, thanks anyway ;)


@security,

Please proceed with glsa voting.

Comment 24 Tim Sammut (RETIRED) 2011-09-29 18:49:33 UTC

Thanks, folks. GLSA Vote: yes.

Comment 25 Stefan Behte (RETIRED) 2011-10-08 21:16:47 UTC

Vote: NO.

Comment 26 Tobias Heinlein (RETIRED) 2011-10-08 21:22:26 UTC

GLSA vote: NO. Closing noglsa.