[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xen security issues

> On 14/04/2013 19:35, AL13N wrote:
>> Op zondag 14 april 2013 11:15:03 schreef Ian Campbell:
>>> On Sun, 2013-04-14 at 08:05 +0100, AL13N wrote:
>>>> I'm the Mageia maintainer and i'm a bit behind on patching CVE-* .
>>>> can anyone help me find out which of these are actually applicable for
>>>> 4.1.2?
>>> You can find a list of the already public Xen security announcements,
>>> with CVE numbers and links to advisories, patches etc at:
>>> http://wiki.xen.org/wiki/Security_Announcements
>> the problem is not finding the patches :-)
>> the problem is which in those huge lists are actually applicable to that
>> specific version: xen-4.2.1
>> or more, which aren't applicable :-).
> http://wiki.xen.org/wiki/Xen_4.2_Release_Notes
> Xen 4.2 was released on 17 Sept 2012.  XSA-19 and earlier where older
> than that, so are not applicable.  XSA-20 and newer all specifically
> refer to xen-4.2-testing and whether it is vulnerable or not.

Thanks for the pointers, this will make it a lot easier for me!

> Although now I note that you might have transposed 4.1.2.

no, luckily i didn't, mga2 has 4.1.2; while mga3 will have 4.2.1.

> So the 4.1 release notes puts 4.1.2 on 21 Oct 2011.  However, I would
> highly recomend moving forwards to 4.1.4 or even newer.  4.1.x is in
> maintenance now and is only receiving bugfixes, but being OS software,
> there is still a steady stream of bugfixes being backported.

i'll keep this in mind for mga2 . atm, my priority is mga3, though.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.