Hi out there, as you might have noticed, we fixed many issues with Xen 4.4 in Jessie. cf. https://security-tracker.debian.org/tracker/source-package/xen
With this, all current "trivial" cases are closed (ignoring the few arm already marked no-DSA before the LTS support stepped in) These might be easy to fix at some point but currently I don't see the real point in spending too much time on these. The open cases are TEMP-0000000-20B25C = XSA-280 TEMP-0000000-319B92 = XSA-279 TEMP-0000000-EC90C0 = XSA-275 CVE-2018-3620, CVE-2018-3646 = XSA-273 CVE-2018-3665 = XSA-267 CVE-2018-3639 = XSA-263 CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 = XSA-254 - which is not in the Debian tracker for Xen, actually... While XSA-275 and XSA280 might be easy to apply the upstream fix, XSA-279 does not apply to the current Xen 4.4 state. XSA-279 does only affect after implementing the XSA-254 (Meltdown) fixes. From this perspective. XSA-279 could be safely ignored until the back ports are done. XSA-273 could be fixed only if microcode and kernel is fixed too. According to the bug tracker, for the kernel this is not the case yet. The patch relies on the code fixing spectre / meltdown issues so it had to be postponed until these fixes have been ported. Only Intel CPU might be vulnerable. A mitigation is possible but undesirable due to heavy performance impacts. XSA-267 could be fixed as there is a fixed kernel in Jessie security. The first patch for this can be applied directly, the second one relies on code for XSA-254 (spectre / meltdown). Mitigation is possible by cpu pinning to VMs. XSA-263 depends on fixing XSA-254 too. The other constraints like kernel and microcode are fixed already. There is no other mitigation known but fixing the code and firmware. XSA-254 aka Spectre / Meltdown is still open for Xen but never made it to the Debian security tracker for Xen, surprisingly. Currently, there is no mitigation for CVE-2017-5753 (Spectre variant 1, SP1) For SP2, Spectre CVE-2017-5715 there are the BTI fixes in upstream. For SP3, aka Meltdown, CVE-2017-5754, running guests in PVH or HVM context. PV guests could be run under special shim hypervisors available for Xen 4.10 and up. There are shim back ports for Xen 4.8. Alternatively, there are the page table isolation (PTI) patches that mitigate the Meltdown issue too. Sadly, the PTI patches rely on the BTI patched code. There are 43 BTI upstream patches for Xen 4.6 that need to be back ported. These 43 patches to fix SP2 introduce the code basis for XSA-279, XSA-273, XSA 267 and XSA-263 listed above. The major question is: Are we traveling this road, implementing / back porting the BTI fixes for XSA-254? If so, the other fixes are probably not to much work. But implementing BTI fixes is a long and unknown road. I cannot give any reliable numbers how much work that would be. But anybody can estimate that this will be much more than a few days to get done. There might be a shortcut for some patches by back porting independent code chunks like I did with the grant table code for Xen 4.1 (Wheezy) but for now, I can't oversee all of this in total yet and I doubt that there will be a great shortcut to be found. Another option would be backporting the Xen 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (and following) package from Stretch to Jessie. This could be done including testing within a few hours, maybe a little more than a working day or less if we abandon Xen 4.4. Along with Xen 4.8 there might be some further impacts as e.g. libxen changes, too. This might break some unpackaged software depending on this. As changing the minor version of a package like Xen is kind of a break in expectations people might have in LTS. Therefor, I'd like to ask for feedback on both options and your opinion, which way to get to a solution. Don't get me wrong, I am not unwilling to work on a back port of these fixes but this will not be done within a short amount of time and honestly I cannot guarantee that there will be a 100% solution. A Stretch back port on the other hand could be ready very soon. Kind regards Peter -- Peter Dreuw Teamleiter Tel.: +49 2166 9901-155 Fax: +49 2166 9901-100 E-Mail: peter.dr...@credativ.de gpg fingerprint: 33B0 82D3 D103 B594 E7D3 53C7 FBB6 3BD0 DB32 ED41 http://www.credativ.de/ ********************************************** Jetzt neu: Elephant Shed - PostgreSQL Appliance PostgreSQL und alles was dazugehört Von Backup über Monitoring bis Reporting: https://elephant-shed.io/index.de.html ********************************************** credativ GmbH, HRB Mönchengladbach 12080 USt-ID-Nummer: DE204566209 Trompeterallee 108, 41189 Mönchengladbach Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer Unser Umgang mit personenbezogenen Daten unterliegt folgenden Bestimmungen: https://www.credativ.de/datenschutz
<<attachment: peter_dreuw.vcf>>
signature.asc
Description: OpenPGP digital signature
