[Pkg-xen-devel] Bug#1021668: Bug#1021668: xen: CVE-2022-33749 CVE-2022-33748 CVE-2022-33747 CVE-2022-33746

Salvatore Bonaccorso carnil at debian.org
Wed Nov 2 20:53:54 GMT 2022


Hi,

On Wed, Nov 02, 2022 at 08:02:26PM +0100, Hans van Kranenburg wrote:
> Hi,
> 
> On 10/19/22 21:55, Moritz Muehlenhoff wrote:
> >>> For the latest set of Xen issues my estimate is that we can postpone
> >>> them until the next batch, they seem all of moderate/limited impact.
> >>> But let me know if you think otherwise.
> >>
> >> I agree. Let's do them together with the new stuff that's planned for
> >> Nov 1st, https://xenbits.xen.org/xsa/
> > 
> > Ack, I've updated the Security Tracker.
> 
> I'm having a look at this now, and while writing the changelog entry, I
> run into the following thing:
> 
> XSA-403 has 4 CVE numbers. AFAIUI the first two are about the fixes done
> to Linux, and the other two are about changes to Xen. Shouldn't the
> Debian security tracker reflect that?
> 
> CVE-2022-26365 CVE-2022-33740 -> src:linux only ?
> CVE-2022-33741 CVE-2022-33742 -> src:xen only ?

Speaking for src:linux I do not think we need to change the tracking:

CVE-2022-26365: 2f446ffe9d73 ("xen/blkfront: fix leaking data in shared pages")
CVE-2022-33740: 307c8de2b023 ("xen/netfront: fix leaking data in shared pages")
CVE-2022-33741: 4491001c2e0f ("xen/netfront: force data bouncing when backend is untrusted")
CVE-2022-33742: 2400617da7ee ("xen/blkfront: force data bouncing when backend is untrusted")

Regards,
Salvatore



More information about the Pkg-xen-devel mailing list