Summary: | <app-emulation/xen-{4.12.2-r2,4.13.0-r3}: Multiple vulnerabilities (CVE-2020-{11739,11740,11741,11742,11743}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | hydrapolic, proxy-maint, whissi, xen |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | Flags: | nattka:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=717698 https://bugs.gentoo.org/show_bug.cgi?id=717700 https://github.com/gentoo/gentoo/pull/15554 |
||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: |
app-emulation/xen-4.12.2-r2 amd64
|
Runtime testing required: | --- |
Description
Sam James
![]() ![]() ![]() ![]() (In reply to Sam James (sec padawan) from comment #0) > 4) > This is CVE-2020-11742. --- @maintainer(s), please create an appropriate ebuild with upstream's patches. [PR: https://github.com/gentoo/gentoo/pull/15343 will be updated soon with the patches.] (In reply to Sam James (sec padawan) from comment #2) > [PR: https://github.com/gentoo/gentoo/pull/15343 will be updated soon with > the patches.] Done The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b925c44559bb0a48f9b5c211b00fa2dc6828a2af commit b925c44559bb0a48f9b5c211b00fa2dc6828a2af Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2020-04-14 10:44:46 +0000 Commit: Yixun Lan <dlan@gentoo.org> CommitDate: 2020-04-15 15:48:15 +0000 app-emulation/xen: add patches for 4.13 Fix Xen security bugs CVE-2020-{11739,11740,11741,11742,11743} Bug: https://bugs.gentoo.org/717446 Closes: https://github.com/gentoo/gentoo/pull/15343 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Yixun Lan <dlan@gentoo.org> app-emulation/xen/Manifest | 1 + app-emulation/xen/xen-4.13.0-r3.ebuild | 165 +++++++++++++++++++++++++++++++++ 2 files changed, 166 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf59763275a84bed50e046890ee51fd66de3cb40 commit bf59763275a84bed50e046890ee51fd66de3cb40 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2020-04-14 10:43:49 +0000 Commit: Yixun Lan <dlan@gentoo.org> CommitDate: 2020-04-15 15:48:12 +0000 app-emulation/xen: add patches for 4.12 Fix Xen security bugs CVE-2020-{11739,11740,11741,11742,11743} Bug: https://bugs.gentoo.org/717446 Closes: https://github.com/gentoo/gentoo/pull/15343 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Yixun Lan <dlan@gentoo.org> app-emulation/xen/Manifest | 1 + app-emulation/xen/xen-4.12.2-r2.ebuild | 165 +++++++++++++++++++++++++++++++++ 2 files changed, 166 insertions(+) @maintainer(s), please advise if ready for stabilisation, or call yourself. Thanks. ago has let me know that stabilisation is blocked on these: bug 717700 bug 717698 (In reply to Sam James (sec padawan) from comment #6) > ago has let me know that stabilisation is blocked on these: > bug 717700 > bug 717698 Changing to "see also" because ago explained they are not formal blockers, but blockers for his process. @ago: your blockers have been fixed, please proceed amd64 stable @maintainer(s), please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11be7af2a980a01a1cc4b4676209d70a85ae3818 commit 11be7af2a980a01a1cc4b4676209d70a85ae3818 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2020-04-28 11:57:37 +0000 Commit: Yixun Lan <dlan@gentoo.org> CommitDate: 2020-04-30 14:42:44 +0000 app-emulation/xen: drop vulnerable version Bug: https://bugs.gentoo.org/717446 Closes: https://github.com/gentoo/gentoo/pull/15554 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Yixun Lan <dlan@gentoo.org> app-emulation/xen/Manifest | 1 - app-emulation/xen/xen-4.12.2-r1.ebuild | 165 --------------------------------- 2 files changed, 166 deletions(-) Thanks! This issue was resolved and addressed in GLSA 202005-08 at https://security.gentoo.org/glsa/202005-08 by GLSA coordinator Thomas Deutschmann (whissi). @Whissi, please change the vulnerable xen-tools version to <app-emulation/xen-tools-4.12.2-r1 (not app-emulation/xen-tools-4.12.2-r2) as we don't have -r2 in the tree. Thanks. Thanks @Whissi |