[Pkg-xen-devel] Bug#947944: xen: Several CVEs open for xen (CVE-2018-12207 CVE-2019-11135 CVE-2019-18420 CVE-2019-18421 CVE-2019-18422 CVE-2019-18423 CVE-2019-18424 CVE-2019-18425 CVE-2019-19577 CVE-2019-19578 CVE-2019-19579 CVE-2019-19580 CVE-2019-19581 CVE-2019-19582 CVE-2019-19583)

Tue Jan 7 22:34:55 GMT 2020

Hi,

Today I have finally been working on this. The result is that I at least
have a new (WIP) version for buster. I'm running it on a dom0 right now
and did smoke testing, live migrate, restarting domUs etc. It just works
(tm).

This was the easy part, most of the work was assembling the changelog by
copy-pasting things. I cross-checked with your list (below), which is
nice, since we can check that way that the info from different points of
view is the same (except for one entry it is).

https://salsa.debian.org/xen-team/debian-xen/commits/knorrie/buster-security

Now the interesting part begins, which is not so much about the stable
security update, but more about what to do with unstable. We currently
still have the same Xen version in unstable and in Buster.

So, the most logical thing, which I mentioned before would be to have
4.11.3+24-g14b62ab3e5-1 in unstable and 4.11.3+24-g14b62ab3e5-1~deb10u1
in stable.

However... https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=938843
And on Dec 15, python-pyxenstore REMOVED from testing

So, I guess we're not supposed to upload something new to unstable that
includes this package again and/or uses python 2.

Also, we of course do not like a situation where the package in stable
has a newer version number than the one in unstable.

Checkmate...

We (as in, Debian Xen team, which is Ian and I who are currently active)
haven't been working on getting the latest greatest Xen into unstable
for Bullseye yet. The most recent Xen release (4.13) includes python3
support which fixes that issue, but getting that in means we have to
actively start working on newer packages now. This mostly means
reserving a few days to work on it, since it's not a really trivial
undertaking.

Another ducttape-option is to put the same thing in unstable again,
while stripping out python-pyxenstore from the control file, since it's
not a required package for the average usecase. Still, xen-utils-4.11
contains a bunch of python 2 files, which apparently are still under the
radar.

I'm thinking out loud here, and am curious about what you and Ian can
come up with.

On 1/2/20 3:57 PM, Salvatore Bonaccorso wrote:
> [...]
> 
> There are several CVEs open for xen up to unstable, compiling a list
> from the information from the security-tracker it looks those below.
> 
> Any progress in getting those fixed at least for unstable already?
> 
> CVE-2018-12207[0]:

check, XSA-304

> CVE-2019-11135[1]:

check, XAS-305

> CVE-2019-18420[2]:

check, XSA-296

> CVE-2019-18421[3]:

check, XSA-299

> CVE-2019-18422[4]:

check, XSA-303

> CVE-2019-18423[5]:

check, XSA-301

> CVE-2019-18424[6]:

check, XSA-302

> CVE-2019-18425[7]:

check, XSA-298

> CVE-2019-19577[8]:

check, XSA-311

> CVE-2019-19578[9]:

check, XSA-309

> CVE-2019-19579[10]:

check, XSA-306

> CVE-2019-19580[11]:

check, XSA-310

> CVE-2019-19581[12]:

check, XSA-307

> CVE-2019-19582[13]:

check, XSA-307

> CVE-2019-19583[14]:

check, XSA-308

In the changelog, I also have a fix for:
 XSA-295 CVE-2019-17349 CVE-2019-17350
 https://xenbits.xen.org/xsa/advisory-295.html

> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

I also added a commit to put in the CVE numbers in previous changelog
entries:

https://salsa.debian.org/xen-team/debian-xen/commit/0ee295f5caf6178f64febeb976d7ea968e44a191

Is this ok/wanted/great/what-you-like? Because, regularly, the numbers
are not available yet when we push out the update.

Thanks,
Hans van Kranenburg