[Pkg-xen-devel] Bug#1036475: unblock: xen/4.17.1+2-gb773c48e36-1

Maximilian Engelhardt maxi at daemonizer.de
Sun May 21 21:02:25 BST 2023 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock 
X-Debbugs-Cc: xen at packages.debian.org, team at security.debian.org, maxi at daemonizer.de
Control: affects -1 + src:xen

Please unblock package xen.

[ Reason ]
Xen in bookworm is currently affected by CVE-2022-42335 and
CVE-2022-42336 (see #1034842 and #1036298).

[ Impact ]
The above mentioned CVEs are not fixed in bookworm.

[ Tests ]
The Debian package is based only on upstream commits that have passed
the upstream automated tests.
The Debian package has been successfully tested by the xen packaging
team on their test machines.

[ Risks ]
There could be upstream changes unrelated to the above mentioned
security fixes that cause regressions. However upstream has an automated
testing machinery (osstest) that only allows a commit in the upstream
stable branch if all test pass.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
This security fix is based on the latest upstream stable-4.17 branch.
The branch in general only accepts bug fixes and does not allow new
features, so the changes there are mainly security and other bug fixes.
This does not strictly follow the "only targeted fixes" release policy,
but, as explained below, we believe it is still appropriate for an
unblock request.
The package we have uploaded to unstable is exactly what we would have
done as a security update in a stable release, what we have historically
done together with the security team and are planning to continue to do.
As upstream does extensive automated testing on their stable branches
chances for unnoticed regressions are low. We believe this way the risk
for bugs is lower than trying to manually pick and adjust patches
without all the deep knowledge that upstream has. This approach is
similar to what the linux package is doing.

Please note that piuparts currently fails for xen in unstable. We
believe this is due to adduser now being marked as Protected:yes (see
discussion in #1035654) and not related to the xen packaging. Please let
us know if there is anything we have to do on the xen packaging side.

unblock xen/4.17.1+2-gb773c48e36-1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xen_4.17.1+2-gb773c48e36-1.debdiff
Type: text/x-patch
Size: 61856 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20230521/a3931913/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20230521/a3931913/attachment-0001.sig>

More information about the Pkg-xen-devel mailing list