On 2018-11-28 22:44:52, Moritz Muehlenhoff wrote:
> On Wed, Nov 28, 2018 at 12:59:11PM +0100, Peter Dreuw wrote:
>> Hi out there,
>> Another option would be backporting the Xen
>> 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (and following) package from
>> Stretch to Jessie.
>
> What would be the point? If you migrate to a complete new Xen release,
> then you can just as well migrate to stretch (which will also have
> proven, compatible matching versions of libvirt/Linux/qemu/ etc.
>
> If some of the Spectre mitigations can't be backported, make a detailed
> writeup of what people are missing in 4.4 and let them handle it
> based on that data (update to stretch or stick with 4.4/jessie); there's
> still plenty of legitimate use cases which can be run in a secure
> manner with 4.4 (internal VMs with trusted users etc).
I agree. It's not like Spectre is trivial to exploit either, so the
tradeoff might be acceptable for some users.
Xen upgrades are usually fairly smooth, but considering the dom0 is most
likely *only* running Xen, upgrading to stretch is probably equivalent
than upgrading to a Xen backported from stretch.
So while I usually am a proponent of aggressive backports, I think that,
in this case, we would actually be doing a disservice to our users by
forcibly backporting a version from stretch. :)
Peter, are there non-speculative vulnerabilities remaining we could look
at?
Otherwise I would just publish a DLA saying we simply stop supporting
that aspect of Xen...
A.
--
The future is already here – it's just not very evenly distributed.
- William Gibson
