795054 – (CVE-2021-0089, CVE-2021-26313, CVE-2021-28690, CVE-2021-28691, CVE-2021-28692, CVE-2021-28693, XSA-372, XSA-373, XSA-374, XSA-375, XSA-377) <app-emulation/xen-{4.14.2-r1,4.15.0-r1}: multiple vulnerabilities (XSA-{372,373,374,375,377})

Bug 795054 (CVE-2021-0089, CVE-2021-26313, CVE-2021-28690, CVE-2021-28691, CVE-2021-28692, CVE-2021-28693, XSA-372, XSA-373, XSA-374, XSA-375, XSA-377) - <app-emulation/xen-{4.14.2-r1,4.15.0-r1}: multiple vulnerabilities (XSA-{372,373,374,375,377})

Summary: <app-emulation/xen-{4.14.2-r1,4.15.0-r1}: multiple vulnerabilities (XSA-{372,...

Status:	RESOLVED FIXED

Alias:	CVE-2021-0089, CVE-2021-26313, CVE-2021-28690, CVE-2021-28691, CVE-2021-28692, CVE-2021-28693, XSA-372, XSA-373, XSA-374, XSA-375, XSA-377

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B1 [glsa+ cve]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2021-06-09 07:26 UTC by Tomáš Mózes
Modified:	2021-07-15 05:32 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/21168 https://github.com/gentoo/gentoo/pull/21611
Package list:	app-emulation/xen-4.14.2-r1 amd64 app-emulation/xen-tools-4.14.2-r1
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tomáš Mózes 2021-06-09 07:26:12 UTC

New patches came out yesterday for XSA-372, XSA-373, XSA-374, XSA-375, XSA-377

https://xenbits.xen.org/xsa/

Comment 1 Larry the Git Cow gentoo-dev

2021-06-11 12:53:16 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee98a9e773c46b04534c0ceabce56cfd11866b53

commit ee98a9e773c46b04534c0ceabce56cfd11866b53
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-06-09 07:18:09 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-06-11 12:49:01 +0000

    app-emulation/xen: add upstream security patches
    
    Fixes XSA-372, XSA-373, XSA-374, XSA-375, XSA-377
    
    Bug: https://bugs.gentoo.org/795054
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-emulation/xen/Manifest             |   1 +
 app-emulation/xen/xen-4.15.0-r1.ebuild | 169 +++++++++++++++++++++++++++++++++
 2 files changed, 170 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=31d16f4a033665a6cdb28d55e4b72a43969a8e79

commit 31d16f4a033665a6cdb28d55e4b72a43969a8e79
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-06-09 07:17:38 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-06-11 12:49:01 +0000

    app-emulation/xen: add upstream security patches
    
    Fixes XSA-372, XSA-373, XSA-374, XSA-375, XSA-377
    
    Bug: https://bugs.gentoo.org/795054
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-emulation/xen/Manifest             |   1 +
 app-emulation/xen/xen-4.14.2-r1.ebuild | 169 +++++++++++++++++++++++++++++++++
 2 files changed, 170 insertions(+)

Comment 2 John Helmert III archtester

2021-06-11 20:12:45 UTC

Please stable when ready.

Comment 3 NATTkA bot gentoo-dev

2021-06-11 20:16:22 UTC Comment hidden (obsolete)

Sanity check failed:

> app-emulation/xen-4.14.2-r1
>   pdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
>     ~app-emulation/xen-tools-4.14.2
>   pdepend amd64 stable profile default/linux/amd64/17.1 (15 total)
>     ~app-emulation/xen-tools-4.14.2

Comment 4 Sam James archtester

2021-06-12 13:59:39 UTC

amd64 done

Comment 5 Sam James archtester

2021-06-12 13:59:59 UTC

x86 done

all arches done

Comment 6 John Helmert III archtester

2021-06-12 14:02:49 UTC

Please cleanup, thanks!

Comment 7 John Helmert III archtester

2021-07-06 02:31:54 UTC

What about 4.13.x?

Comment 8 John Helmert III archtester

2021-07-06 02:51:37 UTC

GLSA request filed.

Comment 9 Tomáš Mózes 2021-07-07 14:59:58 UTC

(In reply to John Helmert III from comment #7)
> What about 4.13.x?

We'll clean it.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2021-07-12 02:51:00 UTC

This issue was resolved and addressed in
 GLSA 202107-30 at https://security.gentoo.org/glsa/202107-30
by GLSA coordinator Sam James (sam_c).

Comment 11 Sam James archtester

2021-07-12 02:51:49 UTC

Reopening for cleanup.

Comment 12 Larry the Git Cow gentoo-dev

2021-07-15 05:31:17 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b346612c0c2d11ecf23af72c1aa72d24e0dc9a4

commit 2b346612c0c2d11ecf23af72c1aa72d24e0dc9a4
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-07-12 10:13:39 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-15 05:30:37 +0000

    app-emulation/xen: drop vulnerable
    
    Bug: https://bugs.gentoo.org/795054
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-emulation/xen/Manifest          |   1 -
 app-emulation/xen/xen-4.13.3.ebuild | 165 ------------------------------------
 2 files changed, 166 deletions(-)

Comment 13 John Helmert III archtester

2021-07-15 05:32:09 UTC

Thanks! All done