Summary: | <app-emulation/xen-4.9.1-r1: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | hydrapolic, xen |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://xenbits.xen.org/xsa/ | ||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: |
app-emulation/xen-4.9.1-r1
app-emulation/xen-pvgrub-4.9.1
app-emulation/xen-tools-4.9.1-r1
|
Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2017-12-18 13:49:06 UTC
@Maintainers please confirm if we are affected by those CVEs. Thank you this is fixed at app-emulation/xen-4.9.1-r1 https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bfd1dc774e87e20ccd6f77a4847ec7126501e43 Upstream's x86 doesn't mean Gentoo's x86. @ Maintainer(s): Looks like we need to move to 4.9.x (XSA-248... also affectx 4.8.x). Can you confirm that we will move to 4.9.x? Is =app-emulation/xen-4.9.1-r1 ready for stabilization and will we cleanup <app-emulation/xen-4.9.1-r1 after that? (In reply to Thomas Deutschmann from comment #4) > @ Maintainer(s): Looks like we need to move to 4.9.x (XSA-248... also > affectx 4.8.x). Can you confirm that we will move to 4.9.x? Is > =app-emulation/xen-4.9.1-r1 ready for stabilization and will we cleanup > <app-emulation/xen-4.9.1-r1 after that? Yes, Yixun plans to do so, but I think he wanted to get Xen 4.10 into portage first for testing. Given that we have multiple unsolved CVEs, I suppose we can call stabilization and add 4.10 later on. Xen 4.9.1-r1 looks fine, fixes some issues with ovmf and seems to work nice for us in production. Yes, let's move forward to 4.9 (since we haven't done the security bump for these versions <4.9) Arches, please test and mark stable: =app-emulation/xen-4.9.1-r1 Target keyword only: "amd64" =app-emulation/xen-pvgrub-4.9.1 =app-emulation/xen-tools-4.9.1-r1 Target keywords: "amd64 x86" amd64 stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa801eb3217e4bd5d2bd1799e29c6e61a9d8e802 commit fa801eb3217e4bd5d2bd1799e29c6e61a9d8e802 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-01-14 16:22:27 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-01-14 16:23:04 +0000 app-emulation/xen-tools: x86 stable Bug: https://bugs.gentoo.org/641566 Package-Manager: Portage-2.3.19, Repoman-2.3.6 app-emulation/xen-tools/xen-tools-4.9.1-r1.ebuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)} Added to an existing GLSA. @ Maintainer(s): Please cleanup and drop <app-emulation/xen-4.9.1-r1 and <app-emulation/xen-tools-4.9.1-r1! This issue was resolved and addressed in GLSA 201801-14 at https://security.gentoo.org/glsa/201801-14 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for cleanup. (In reply to Yixun Lan from comment #6) > Yes, let's move forward to 4.9 (since we haven't done the security bump for > these versions <4.9) > > > Arches, please test and mark stable: > =app-emulation/xen-4.9.1-r1 > Target keyword only: "amd64" > > =app-emulation/xen-pvgrub-4.9.1 > =app-emulation/xen-tools-4.9.1-r1 > Target keywords: "amd64 x86" Seems like we missed xen-pvgrub in the package list so it's not stabilized yet. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbd16795cbb370d7e003baa88ba6020a9898c176 commit bbd16795cbb370d7e003baa88ba6020a9898c176 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-09 00:02:35 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-09 00:02:51 +0000 app-emulation/xen-tools: drop vulnerable Bug: https://bugs.gentoo.org/641566 Package-Manager: Portage-2.3.28, Repoman-2.3.9 app-emulation/xen-tools/Manifest | 6 - app-emulation/xen-tools/xen-tools-4.8.2-r3.ebuild | 459 --------------------- app-emulation/xen-tools/xen-tools-4.9.0.ebuild | 462 ---------------------- app-emulation/xen-tools/xen-tools-4.9.1.ebuild | 454 --------------------- 4 files changed, 1381 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=835e2f7cc9c59688ae198f0a72787aaecc061766 commit 835e2f7cc9c59688ae198f0a72787aaecc061766 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-09 00:01:13 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-09 00:02:50 +0000 app-emulation/xen-pvgrub: drop vulnerable Bug: https://bugs.gentoo.org/641566 Package-Manager: Portage-2.3.28, Repoman-2.3.9 app-emulation/xen-pvgrub/Manifest | 2 - .../xen-pvgrub/xen-pvgrub-4.8.2-r1.ebuild | 161 --------------------- app-emulation/xen-pvgrub/xen-pvgrub-4.9.0.ebuild | 161 --------------------- 3 files changed, 324 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66e8f9ccac5941492b947ceb5dc67a88121b4633 commit 66e8f9ccac5941492b947ceb5dc67a88121b4633 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-09 00:00:26 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-09 00:02:49 +0000 app-emulation/xen: drop vulnerable Bug: https://bugs.gentoo.org/641566 Package-Manager: Portage-2.3.28, Repoman-2.3.9 app-emulation/xen/Manifest | 6 -- app-emulation/xen/xen-4.8.2-r2.ebuild | 184 ---------------------------------- app-emulation/xen/xen-4.8.2-r3.ebuild | 175 -------------------------------- app-emulation/xen/xen-4.9.0.ebuild | 183 --------------------------------- app-emulation/xen/xen-4.9.1.ebuild | 171 ------------------------------- 5 files changed, 719 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=62d619a49aa43d36639b3457a95f5a4c56c3fb71 commit 62d619a49aa43d36639b3457a95f5a4c56c3fb71 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-08 23:58:51 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-09 00:02:47 +0000 app-emulation/xen-pvgrub: amd64 stable Bug: https://bugs.gentoo.org/641566 Package-Manager: Portage-2.3.28, Repoman-2.3.9 app-emulation/xen-pvgrub/xen-pvgrub-4.9.1.ebuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)} |