blob: 8924ab19185883a86e9dba9016dccc214605625f (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
Description: Incomplete fix for CVE-2015-2150
References:
http://xenbits.xen.org/xsa/advisory-120.html
http://thread.gmane.org/gmane.comp.emulators.xen.devel/140440/focus=140441
http://thread.gmane.org/gmane.linux.kernel/1924087/focus=1924088
Notes:
bwh> Upstream fix is not clearly correct; see discussions in the references.
jmm> I've gotten in touch with the subsystems maintainers; the patch breaks
jmm> qemu (as used by xen). While this was fixed upstream in qemu, the patch
jmm> hasn't been merged yet since it would break with older versions of qemu
jmm> I'm trying to find out which version is fine, so maybe we can carry that
jmm> the xsa120-addendum.patch as a Debian-specific patch it's merged at some
jmm> point
carnil> qemu fix is in
carnil> https://git.qemu.org/?p=qemu.git;a=commitdiff;h=2e87512eccf3c5e40f3142ff5a763f4f850839f4
carnil> which is at least in qemu v2.5.0-rc0 onwards.
bwh> The kernel fix will be applied to 4.9, so we will need to add a
bwh> Breaks against old qemu and revert the fix for the jessie backport.
Bugs:
upstream: released (5.1-rc1) [7681f31ec9cdacab4fd10570be924f2cef6669ba]
4.19-upstream-stable: released (4.19.48) [99dcf4a4dd2e102aa843ef2cf9ab65c89e9d56df]
4.9-upstream-stable: released (4.9.181) [19474aa3d81ad5ae8692f7a45ff8ea12fbfd7ede]
3.16-upstream-stable: ignored "breaks qemu versions likely to be used with this kernel version"
3.2-upstream-stable: ignored "EOL"
sid: released (4.19.37-1) [bugfix/all/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch]
4.19-buster-security: N/A "Fixed before branching point"
4.9-stretch-security: released (4.9.168-1+deb9u5) [bugfix/all/xen-pciback-don-t-disable-pci_command-on-pci-device-.patch]
3.16-jessie-security: ignored "breaks qemu as used in jessie"
3.2-wheezy-security: ignored "breaks qemu as used in jessie"
|
