Multiple security advisories have been posted at http://xenbits.xen.org/xsa/ relevant to version 4.5.2 of Xen in ports. Excluding the ARM and Linux specific advisories, the following look valid: http://xenbits.xen.org/xsa/advisory-159.html http://xenbits.xen.org/xsa/advisory-160.html http://xenbits.xen.org/xsa/advisory-162.html (also impacts QEMU) http://xenbits.xen.org/xsa/advisory-163.html http://xenbits.xen.org/xsa/advisory-164.html http://xenbits.xen.org/xsa/advisory-165.html http://xenbits.xen.org/xsa/advisory-166.html
A commit references this bug: Author: junovitch Date: Sun Jan 3 15:21:13 UTC 2016 New revision: 405165 URL: https://svnweb.freebsd.org/changeset/ports/405165 Log: Extend VuXML entry for QEMU DoS in AMD PC-Net II NIC support to cover Xen PR: 205841 Security: CVE-2015-7504 Security: https://vuxml.FreeBSD.org/freebsd/405446f4-b1b3-11e5-9728-002590263bf5.html Changes: head/security/vuxml/vuln.xml
XSA-162 has been added to the prior QEMU entry. The others will need entries but I would appreciate a sanity check on us being impacted. I'll assist or gladly do the entries if they all do impact us.
Drop needs-patch/need-qa and add patch/patch-ready. Patch is approved and in https://reviews.FreeBSD.org/D4783.
A commit references this bug: Author: royger Date: Tue Jan 5 10:06:08 UTC 2016 New revision: 405279 URL: https://svnweb.freebsd.org/changeset/ports/405279 Log: xen: fix XSAs Add the following XSA patches: 159, 160, 162, 165, 166. Security: CVE-2015-8339 Security: CVE-2015-8340 Security: CVE-2015-8341 Security: CVE-2015-7504 Security: CVE-2015-8555 PR: 205841 MFH: 2016Q1 Sponsored by: Citrix Systems R&D Requested by: junovitch Reviewed by: junovitch Differential revision: https://reviews.freebsd.org/D4783 Changes: head/emulators/xen/Makefile head/emulators/xen-kernel/Makefile head/emulators/xen-kernel/files/xsa159.patch head/emulators/xen-kernel/files/xsa165-4.5.patch head/emulators/xen-kernel/files/xsa166-4.5.patch head/sysutils/xen-tools/Makefile head/sysutils/xen-tools/files/xsa160-4.6.patch head/sysutils/xen-tools/files/xsa162-qemuu.patch
A commit references this bug: Author: royger Date: Tue Jan 5 17:08:12 UTC 2016 New revision: 405303 URL: https://svnweb.freebsd.org/changeset/ports/405303 Log: -n MFH: -n r405279 xen: fix XSAs Add the following XSA patches: 159, 160, 162, 165, 166. Security: CVE-2015-8339 Security: CVE-2015-8340 Security: CVE-2015-8341 Security: CVE-2015-7504 Security: CVE-2015-8555 PR: 205841 Sponsored by: Citrix Systems R&D Requested by: junovitch Reviewed by: junovitch Differential revision: https://reviews.freebsd.org/D4783 Approved by: ports-secteam (miwi) Changes: _U branches/2016Q1/ branches/2016Q1/emulators/xen/Makefile branches/2016Q1/emulators/xen-kernel/Makefile branches/2016Q1/emulators/xen-kernel/files/xsa159.patch branches/2016Q1/emulators/xen-kernel/files/xsa165-4.5.patch branches/2016Q1/emulators/xen-kernel/files/xsa166-4.5.patch branches/2016Q1/sysutils/xen-tools/Makefile branches/2016Q1/sysutils/xen-tools/files/xsa160-4.6.patch branches/2016Q1/sysutils/xen-tools/files/xsa162-qemuu.patch
A commit references this bug: Author: junovitch Date: Wed Jan 6 00:49:40 UTC 2016 New revision: 405322 URL: https://svnweb.freebsd.org/changeset/ports/405322 Log: Document Xen Security Advisories (XSAs 159, 160, 162, 165, 166) PR: 205841 Security: CVE-2015-8555 Security: CVE-2015-8341 Security: CVE-2015-8339 Security: CVE-2015-8340 Security: https://vuxml.FreeBSD.org/freebsd/6aa2d135-b40e-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/e839ca04-b40d-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/5d1d4473-b40d-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/bcad3faa-b40c-11e5-9728-002590263bf5.html Changes: head/security/vuxml/vuln.xml
Excellent. Thanks! For my own understanding, documenting it in the history here, and to aid better in the future... It looks like XSA-164 doesn't impact us because we don't support qemu-xen-traditional (as I see mentioned in r398918's commit log). XSA-169 was 4.6 only. Why doesn't XSA-163 impact us? What about XSA-169? I noticed I did not mentioned that XSA in comment 0 and only mentioned in the the title for the PR.
(In reply to Jason Unovitch from comment #7) Please ignore the "What about XSA-169?" I shuffled my own words around and re-read the advisory to see it was 4.6 only. I'll go ahead and mark this closed but I would appreciate the follow up learning on XSA-163.
XSA-163 is a notice that the VPMU functionality is not supported by the Xen Security Team. It's considered a debug feature, which should only be enabled in trusted environments (with trusted guests) and never used in production. It is not a fix, although I admit I could have applied the patch that clarifies this situation in the documentation.
MARKED AS SPAM