Re: openssl / CVE-2016-2177.patch
Brian May writes: > It might be worth somebody else testing it, just in case this is > something specific to my build. > > Will continue investigating. Looks like the test certificates may have expired. https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1581084 Most likely reason anyway. -- Brian May
Re: Xen i386 support on Debian wheezy-LTS
On Mon, Jun 20, 2016 at 05:38:33PM +1000, Brian May wrote: > According to Bastian Blank the the fix for XSA 173 breaks i386 > support. The HVM domains die immediately due to a triple fault. His > working theory is that invalid bits slip into the initial page table of > the domain. He is recommending that we drop support for i386 in order > that we can continue patching Xen in wheezy with the latest security > updates. I forgot the provide further findings. Each HVM domain immediately dies with a triple fault: | (XEN) hvm.c:1134:d1 Triple fault on VCPU0 - invoking HVM system reset. | (XEN) *** Dumping Dom1 vcpu#0 state: *** | (XEN) [ Xen-4.1.6.1 x86_32p debug=n Not tainted ] | (XEN) CPU:1 | (XEN) EIP::[<00101520>] | (XEN) EFLAGS: 0002 CONTEXT: hvm guest | (XEN) eax: ebx: ecx: edx: | (XEN) esi: edi: ebp: esp: | (XEN) cr0: 0011 cr4: cr3: cr2: 00101520 | (XEN) ds: es: fs: gs: ss: cs: CR0 shows the system is in a pretty early state: it is already in protected mode but nothing else. It dies during access of the the page fault handler specified in CR2. A domain in this state can't be dumped. Regards, Bastian -- Lots of people drink from the wrong bottle sometimes. -- Edith Keeler, "The City on the Edge of Forever", stardate unknown
Re: openssl / CVE-2016-2177.patch
Brian May writes: > Looks like the test certificates may have expired. > > https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1581084 Yes, builds fine now after applying the patch from the above link. -- Brian May
Re: Security update of Gosa
Hi Markus, On Di 21 Jun 2016 01:15:17 CEST, Markus Koschany wrote: Hello Michael, you are still listed in dla-needed.txt as the owner of Gosa. Apparently you already prepared a debdiff and sent it to the security team but it was never released. Would it be possible to share it with us? Or can you confirm that the following patches from Jessie will resolve this issue? https://tracker.debian.org/media/packages/g/gosa/changelog-2.7.4%2Breloaded2-1%2Bdeb8u2 CVE-2015-8771: 0006_code-injection-in-samba-hash-generation.patch, 0007_update-sambaHashHook-description.patch. Fix potential code injection issue in Samba hash generation. (CVE-2015-8771) CVE-2014-9760: https://sources.debian.net/src/gosa/2.7.4%2Breloaded2-12/debian/patches/0003_xss-vulnerability-on-login-screen.patch/ Regards Markus I'll get back to you tomorrow on this. Basically, I can do the upload my self. Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpidsAkHdQ2g.pgp Description: Digitale PGP-Signatur
Re: xen_4.1.6.1-1+deb7u2.dsc
Hello, i just want to inform you, that i had a very serios regession after upgrading to 4.1.6. Live-Migration of XEN-HVM guests ends in a dom0 crash or CPU Stuck Error. Dom0 and Domu are Wheezy amd64. -- Best Regards Stephan Helas
Re: xen_4.1.6.1-1+deb7u2.dsc
Stephan Helas writes: > i just want to inform you, that i had a very serios regession after > upgrading to 4.1.6. Live-Migration of XEN-HVM guests ends in a dom0 > crash or CPU Stuck Error. Dom0 and Domu are Wheezy amd64. Just to be clear; you replied to the thread on version xen_4.1.6.1-1+deb7u2.dsc; however I never uploaded that version. It has known problems on i386. Maybe you meant to say you have version 4.1.6.1-1+deb7u1 ? -- Brian May
Re: xen_4.1.6.1-1+deb7u2.dsc
Hi, On 06/21/2016 01:22 PM, Brian May wrote: > Stephan Helas writes: > >> i just want to inform you, that i had a very serios regession after >> upgrading to 4.1.6. Live-Migration of XEN-HVM guests ends in a dom0 >> crash or CPU Stuck Error. Dom0 and Domu are Wheezy amd64. > > Just to be clear; you replied to the thread on version > xen_4.1.6.1-1+deb7u2.dsc; however I never uploaded that version. It has > known problems on i386. > > Maybe you meant to say you have version 4.1.6.1-1+deb7u1 ? > yes. i've checked. the info is about 4.1.6.1-1+deb7u1. i found the same error here: https://bugs.launchpad.net/ubuntu/+source/xen/+bug/1515145 -- Viele Grüße Stephan Helas
Re: xen_4.1.6.1-1+deb7u2.dsc
Hello Bastian Blank, It appears that we need an extra patch to get the fix for xsa97 working properly. See the linked Ubuntu bug report. https://bugs.launchpad.net/ubuntu/+source/xen/+bug/1515145 Just wondering if you included this in version 4.1.6.1-1+deb7u2 by any chance? Thanks Stephan Helas writes: >>> i just want to inform you, that i had a very serios regession after >>> upgrading to 4.1.6. Live-Migration of XEN-HVM guests ends in a dom0 >>> crash or CPU Stuck Error. Dom0 and Domu are Wheezy amd64. >> >> Just to be clear; you replied to the thread on version >> xen_4.1.6.1-1+deb7u2.dsc; however I never uploaded that version. It has >> known problems on i386. >> >> Maybe you meant to say you have version 4.1.6.1-1+deb7u1 ? >> > > yes. i've checked. the info is about 4.1.6.1-1+deb7u1. i found the same > error here: > > https://bugs.launchpad.net/ubuntu/+source/xen/+bug/1515145 -- Brian May
Re: Xen i386 support on Debian wheezy-LTS
On 2016-06-20 07:38, Brian May wrote: > According to Bastian Blank the the fix for XSA 173 breaks i386 > support. The HVM domains die immediately due to a triple fault. > His working theory is that invalid bits slip into the initial > page table of the domain. He is recommending that we drop support > for i386 in order that we can continue patching Xen in wheezy > with the latest security >> - make 32-bit hvm unsupported or >> - drop 32-bit hypervisor altogether. I got the impression that:- * i386 hypervisor support is a key use of Xen-4.1. * PV mode used more in older installs. I definitely think there is a case for supporting i386 hypervisor for PV guests, even if HVM may become unsupportable (e.g. also due to QEMU patching, though apparently QEMU could be swapped for newer more supportable version without too much trouble). --Simon signature.asc Description: OpenPGP digital signature
