Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1063035: bookworm-pu: package xen/4.17.3+10-g091466ba55-1~deb12u1
2 views
Skip to first unread message
Maximilian Engelhardt
Feb 4, 2024, 12:00:06 PM2/4/24
to
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.d...@packages.debian.org
Usertags: pu
X-Debbugs-Cc: x...@packages.debian.org, ma...@daemonizer.de, ha...@knorrie.org, te...@security.debian.org
Control: affects -1 + src:xen
This is a Xen stable update. This update could also have been a security
update on its own, but since the changes do not ultimately require a
DSA, we'd like to publish via the point release channel, so that users
get the new Xen and Linux kernel package at exactly the same moment,
reducing reboot stress.
[ Reason ]
Xen in bookworm is currently affected by several CVEs:
- CVE-2023-46837
- CVE-2023-46839
- CVE-2023-46840
[ Impact ]
The above mentioned CVEs are not fixed in bookworm.
[ Tests ]
The Debian package is based only on upstream commits that have passed
the upstream automated tests.
The Debian package has been successfully tested by the xen packaging
team on their test machines.
The same version is also in unstable without any reports.
[ Risks ]
There could be upstream changes unrelated to the above mentioned
security fixes that cause regressions. However upstream has an automated
testing machinery (osstest) that only allows a commit in the upstream
stable branch if all test pass.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
(Note: as can be seen in the source debdiff, inadvertently, we introduced a
typo when including a previous debian/changelog entry. Oops. We decided that
it's not important enough to do another -2 right now.)
[ Changes ]
* Advance the upstream source code to the latest available commit in the
upstream stable Xen 4.17 branch line.
* No packaging changes were made
* Where necessary, patches were as-is rebased against upstream changes.
* Document changes and mention security issues in the changelog in the
usual format.
[ Other info ]
This update, like previous Xen 4.17 updates for Bookworm, is based on
the upstream stable-4.17 branch.
The branch in general only accepts bug fixes and does not allow new
features, so the changes there are mainly security fixes, important bug
fixes and fixes related to hardware errata or hardware support.
The package we have prepared is exactly what we would have done as a
security update in a stable release, what we have historically done
together with the security team and are planning to continue to do.
As upstream does extensive automated testing on their stable branches
chances for unnoticed regressions are low. We believe that by following
the upstream stable release branch line the risk for regressions is
lower than trying to manually pick and adjust (security) patches without
all the deep knowledge that upstream has. This approach is similar to
what the Linux kernel team is doing.
Severity: normal
Tags: bookworm
User: release.d...@packages.debian.org
Usertags: pu
X-Debbugs-Cc: x...@packages.debian.org, ma...@daemonizer.de, ha...@knorrie.org, te...@security.debian.org
Control: affects -1 + src:xen
This is a Xen stable update. This update could also have been a security
update on its own, but since the changes do not ultimately require a
DSA, we'd like to publish via the point release channel, so that users
get the new Xen and Linux kernel package at exactly the same moment,
reducing reboot stress.
[ Reason ]
Xen in bookworm is currently affected by several CVEs:
- CVE-2023-46837
- CVE-2023-46839
- CVE-2023-46840
[ Impact ]
The above mentioned CVEs are not fixed in bookworm.
[ Tests ]
The Debian package is based only on upstream commits that have passed
the upstream automated tests.
The Debian package has been successfully tested by the xen packaging
team on their test machines.
The same version is also in unstable without any reports.
[ Risks ]
There could be upstream changes unrelated to the above mentioned
security fixes that cause regressions. However upstream has an automated
testing machinery (osstest) that only allows a commit in the upstream
stable branch if all test pass.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
(Note: as can be seen in the source debdiff, inadvertently, we introduced a
typo when including a previous debian/changelog entry. Oops. We decided that
it's not important enough to do another -2 right now.)
[ Changes ]
* Advance the upstream source code to the latest available commit in the
upstream stable Xen 4.17 branch line.
* No packaging changes were made
* Where necessary, patches were as-is rebased against upstream changes.
* Document changes and mention security issues in the changelog in the
usual format.
[ Other info ]
This update, like previous Xen 4.17 updates for Bookworm, is based on
the upstream stable-4.17 branch.
The branch in general only accepts bug fixes and does not allow new
features, so the changes there are mainly security fixes, important bug
fixes and fixes related to hardware errata or hardware support.
The package we have prepared is exactly what we would have done as a
security update in a stable release, what we have historically done
together with the security team and are planning to continue to do.
As upstream does extensive automated testing on their stable branches
chances for unnoticed regressions are low. We believe that by following
the upstream stable release branch line the risk for regressions is
lower than trying to manually pick and adjust (security) patches without
all the deep knowledge that upstream has. This approach is similar to
what the Linux kernel team is doing.
Adam D Barratt
Feb 4, 2024, 2:30:05 PM2/4/24
to
package release.debian.org
tags 1063035 = bookworm pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.
Thanks for your contribution!
Upload details
==============
Package: xen
Version: 4.17.3+10-g091466ba55-1~deb12u1
Explanation: new upstream stable release; security fixes [CVE-2023-46837 CVE-2023-46839 CVE-2023-46840]
tags 1063035 = bookworm pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.
Thanks for your contribution!
Upload details
==============
Package: xen
Version: 4.17.3+10-g091466ba55-1~deb12u1
Explanation: new upstream stable release; security fixes [CVE-2023-46837 CVE-2023-46839 CVE-2023-46840]
0 new messages