Bug 205841

Summary: emulators/xen {-tools/-kernel}: multiple security advisories (XSA-157 to XSA-169)
Product: Ports & Packages Reporter: Jason Unovitch <junovitch>
Component: Individual Port(s)Assignee: Roger Pau Monné <royger>
Status: Closed FIXED    
Severity: Affects Some People CC: ports-secteam
Priority: --- Keywords: patch, patch-ready, security
Version: LatestFlags: bugzilla: maintainer-feedback? (royger)
junovitch: merge-quarterly+
Hardware: Any   
OS: Any   

Description Jason Unovitch freebsd_committer 2016-01-03 15:11:59 UTC
Multiple security advisories have been posted at http://xenbits.xen.org/xsa/ relevant to version 4.5.2 of Xen in ports.

Excluding the ARM and Linux specific advisories, the following look valid:

http://xenbits.xen.org/xsa/advisory-159.html
http://xenbits.xen.org/xsa/advisory-160.html
http://xenbits.xen.org/xsa/advisory-162.html (also impacts QEMU)
http://xenbits.xen.org/xsa/advisory-163.html
http://xenbits.xen.org/xsa/advisory-164.html
http://xenbits.xen.org/xsa/advisory-165.html
http://xenbits.xen.org/xsa/advisory-166.html
Comment 1 commit-hook freebsd_committer 2016-01-03 15:21:19 UTC
A commit references this bug:

Author: junovitch
Date: Sun Jan  3 15:21:13 UTC 2016
New revision: 405165
URL: https://svnweb.freebsd.org/changeset/ports/405165

Log:
  Extend VuXML entry for QEMU DoS in AMD PC-Net II NIC support to cover Xen

  PR:		205841
  Security:	CVE-2015-7504
  Security:	https://vuxml.FreeBSD.org/freebsd/405446f4-b1b3-11e5-9728-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Jason Unovitch freebsd_committer 2016-01-03 15:23:55 UTC
XSA-162 has been added to the prior QEMU entry.  The others will need entries but I would appreciate a sanity check on us being impacted.  I'll assist or gladly do the entries if they all do impact us.
Comment 3 Jason Unovitch freebsd_committer 2016-01-05 00:23:33 UTC
Drop needs-patch/need-qa and add patch/patch-ready.  Patch is approved and in https://reviews.FreeBSD.org/D4783.
Comment 4 commit-hook freebsd_committer 2016-01-05 10:07:10 UTC
A commit references this bug:

Author: royger
Date: Tue Jan  5 10:06:08 UTC 2016
New revision: 405279
URL: https://svnweb.freebsd.org/changeset/ports/405279

Log:
  xen: fix XSAs

  Add the following XSA patches: 159, 160, 162, 165, 166.

  Security:		CVE-2015-8339
  Security:		CVE-2015-8340
  Security:		CVE-2015-8341
  Security:		CVE-2015-7504
  Security:		CVE-2015-8555
  PR:			205841
  MFH:			2016Q1
  Sponsored by:		Citrix Systems R&D
  Requested by:		junovitch
  Reviewed by:		junovitch
  Differential revision:	https://reviews.freebsd.org/D4783

Changes:
  head/emulators/xen/Makefile
  head/emulators/xen-kernel/Makefile
  head/emulators/xen-kernel/files/xsa159.patch
  head/emulators/xen-kernel/files/xsa165-4.5.patch
  head/emulators/xen-kernel/files/xsa166-4.5.patch
  head/sysutils/xen-tools/Makefile
  head/sysutils/xen-tools/files/xsa160-4.6.patch
  head/sysutils/xen-tools/files/xsa162-qemuu.patch
Comment 5 commit-hook freebsd_committer 2016-01-05 17:08:51 UTC
A commit references this bug:

Author: royger
Date: Tue Jan  5 17:08:12 UTC 2016
New revision: 405303
URL: https://svnweb.freebsd.org/changeset/ports/405303

Log:
  -n MFH:
  -n  r405279

  xen: fix XSAs

  Add the following XSA patches: 159, 160, 162, 165, 166.

  Security:		CVE-2015-8339
  Security:		CVE-2015-8340
  Security:		CVE-2015-8341
  Security:		CVE-2015-7504
  Security:		CVE-2015-8555
  PR:			205841
  Sponsored by:		Citrix Systems R&D
  Requested by:		junovitch
  Reviewed by:		junovitch
  Differential revision:	https://reviews.freebsd.org/D4783
  Approved by:		ports-secteam (miwi)

Changes:
_U  branches/2016Q1/
  branches/2016Q1/emulators/xen/Makefile
  branches/2016Q1/emulators/xen-kernel/Makefile
  branches/2016Q1/emulators/xen-kernel/files/xsa159.patch
  branches/2016Q1/emulators/xen-kernel/files/xsa165-4.5.patch
  branches/2016Q1/emulators/xen-kernel/files/xsa166-4.5.patch
  branches/2016Q1/sysutils/xen-tools/Makefile
  branches/2016Q1/sysutils/xen-tools/files/xsa160-4.6.patch
  branches/2016Q1/sysutils/xen-tools/files/xsa162-qemuu.patch
Comment 6 commit-hook freebsd_committer 2016-01-06 00:50:39 UTC
A commit references this bug:

Author: junovitch
Date: Wed Jan  6 00:49:40 UTC 2016
New revision: 405322
URL: https://svnweb.freebsd.org/changeset/ports/405322

Log:
  Document Xen Security Advisories (XSAs 159, 160, 162, 165, 166)

  PR:		205841
  Security:	CVE-2015-8555
  Security:	CVE-2015-8341
  Security:	CVE-2015-8339
  Security:	CVE-2015-8340
  Security:	https://vuxml.FreeBSD.org/freebsd/6aa2d135-b40e-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/e839ca04-b40d-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/5d1d4473-b40d-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/bcad3faa-b40c-11e5-9728-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 7 Jason Unovitch freebsd_committer 2016-01-06 00:58:32 UTC
Excellent. Thanks!

For my own understanding, documenting it in the history here, and to aid better in the future... It looks like XSA-164 doesn't impact us because we don't support qemu-xen-traditional (as I see mentioned in r398918's commit log). XSA-169 was 4.6 only. 

Why doesn't XSA-163 impact us? What about XSA-169? I noticed I did not mentioned that XSA in comment 0 and only mentioned in the the title for the PR.
Comment 8 Jason Unovitch freebsd_committer 2016-01-06 01:00:38 UTC
(In reply to Jason Unovitch from comment #7)
Please ignore the "What about XSA-169?" I shuffled my own words around and re-read the advisory to see it was 4.6 only.

I'll go ahead and mark this closed but I would appreciate the follow up learning on XSA-163.
Comment 9 Roger Pau Monné freebsd_committer 2016-01-07 09:20:35 UTC
XSA-163 is a notice that the VPMU functionality is not supported by the Xen Security Team. It's considered a debug feature, which should only be enabled in trusted environments (with trusted guests) and never used in production. It is not a fix, although I admit I could have applied the patch that clarifies this situation in the documentation.