Original advisory: http://lists.xensource.com/archives/html/xen-devel/2011-06/msg01106.html Patch at $URL
Fixed in cvs
Its fixed in xen-4.1.1-r2
Thanks Alexey. The vulnerability _seems_ affect only 4.x version, so in tree the stable version is 3.x You want to stabilize 4.1.1-r2 equally?
(In reply to comment #3) > Thanks Alexey. > > The vulnerability _seems_ affect only 4.x version, so in tree the stable > version is 3.x > Based on what? Reading the 3.x code, it very much looks affected to me. Also, SUSE has issued and update for this issue in xen-3: http://support.novell.com/security/cve/CVE-2011-3131.html > You want to stabilize 4.1.1-r2 equally? We're not going to do a major version bump for fixing a security issue. We'll either need proof that this issue does not affect xen-3 (which I doubt), or a revbumped xen-3 package.
(In reply to comment #4) > Based on what? Secunia advisory says it, but I've not checked manually, is the reason because I sayd "_seems_"
sorted with substantial co-operation from a number of the faithful. Fixes for xen-3 and xen-4 are done, the former not yet in the tree. Watch this space..
The fixes are in the tree
Arches, please test & mark stable; app-emulation/xen-4.1.1-r2, app-emulation/xen-tools-4.1.1-r5, app-emulation/xen-pvgrub-4.1.1-r1 target keywords "AMD64 X86".
(In reply to comment #8) > Arches, please test & mark stable; > > app-emulation/xen-4.1.1-r2, > app-emulation/xen-tools-4.1.1-r5, > app-emulation/xen-pvgrub-4.1.1-r1 > > target keywords "AMD64 X86". We will wait for fixed version of xen-3
fixed version of xen-3 is in the tree
Arches, please test & mark stable; update to xen-3 ONLY (exclude xen-4) app-emulation/xen-3.4.2-r2, app-emulation/xen-tools 3.4.2-r1
re-patched the patch for the 1st step xen-tools. Needed two adjustments. Have re-tested. archtester xen-tools # ebuild xen-tools-3.4.2-r1.ebuild compile ....................................................... archtester xen-tools # >>> Source compiled. Please re-try
It appears the xen-tools has an issue with the recently stabled gcc-4.5.3-r1
33977 fixed; app-emulation/xen-3.4.2-r2, app-emulation/xen-tools 3.4.2-r2
Arches please target: app-emulation/xen-3.4.2-r2 app-emulation/xen-tools 3.4.2-r3
(In reply to comment #15) > Arches please target: > app-emulation/xen-3.4.2-r2 > app-emulation/xen-tools 3.4.2-r3 More recent versions have been stabilized in bug #360621 . How do we proceed?
(In reply to comment #16) > More recent versions have been stabilized in bug #360621 . How do we proceed? Stabilise the requested versions in addition to the 4.x versions, then remove yourself from CC.
Arches please target: app-emulation/xen-3.4.2-r3 app-emulation/xen-tools 3.4.2-r3
Sorry @all for the extra mailspam. I'd recommend to remove /.config before tests =) amd64 ok, the other issues are not a blockers.
ok, on syncing to current tree versions; archtester ~ # ls -ld /.config/ ls: cannot access /.config/: No such file or directory emerge =app-emulation/xen-tools-3.4.2-r3 >>> Emerging (1 of 1) app-emulation/xen-tools-3.4.2-r3 >>> Installing (1 of 1) app-emulation/xen-tools-3.4.2-r3 archtester ~ # emerge =app-emulation/xen-3.4.2-r3 >>> Emerging (3 of 3) app-emulation/xen-3.4.2-r3 >>> Installing (3 of 3) app-emulation/xen-3.4.2-r3
+ 25 Sep 2011; Tony Vroon <chainsaw@gentoo.org> xen-3.4.2-r3.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #379241. + 25 Sep 2011; Tony Vroon <chainsaw@gentoo.org> xen-tools-3.4.2-r3.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #379241. X86 please proceed; the -r3s are GCC 4.5/4.6 capable.
(In reply to comment #21) > X86 please proceed; the -r3s are GCC 4.5/4.6 capable. x86 stable, BUT: xen-tools-3.4.2-r3 has a missing dependency with USE="doc": [...] (/usr/share/texmf-dist/tex/latex/base/ifthen.sty) ! LaTeX Error: File `xcolor.sty' not found. Type X to quit or <RETURN> to proceed, or enter new name. (Default extension: sty) Enter file name: ! Emergency stop. <read *> l.10 \usepackage {textcomp}^^M ! ==> Fatal error occurred, no output PDF file produced!
(In reply to comment #22) > x86 stable, BUT: > > xen-tools-3.4.2-r3 has a missing dependency with USE="doc": It was already filed and is not a regression, thanks anyway ;) @security, Please proceed with glsa voting.
Thanks, folks. GLSA Vote: yes.
Vote: NO.
GLSA vote: NO. Closing noglsa.