Peter Dreuw
2018-11-28 11:59:11 UTC
Hi out there,
as you might have noticed, we fixed many issues with Xen 4.4 in Jessie.
cf. https://security-tracker.debian.org/tracker/source-package/xen
With this, all current "trivial" cases are closed (ignoring the few arm
already marked no-DSA before the LTS support stepped in) These might be
easy to fix at some point but currently I don't see the real point in
spending too much time on these.
The open cases are
TEMP-0000000-20B25C = XSA-280
TEMP-0000000-319B92 = XSA-279
TEMP-0000000-EC90C0 = XSA-275
CVE-2018-3620, CVE-2018-3646 = XSA-273
CVE-2018-3665 = XSA-267
CVE-2018-3639 = XSA-263
CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 = XSA-254 - which is not in
the Debian tracker for Xen, actually...
While XSA-275 and XSA280 might be easy to apply the upstream fix,
XSA-279 does not apply to the current Xen 4.4 state. XSA-279 does only
affect after implementing the XSA-254 (Meltdown) fixes. From this
perspective. XSA-279 could be safely ignored until the back ports are done.
XSA-273 could be fixed only if microcode and kernel is fixed too.
According to the bug tracker, for the kernel this is not the case yet.
The patch relies on the code fixing spectre / meltdown issues so it had
to be postponed until these fixes have been ported. Only Intel CPU might
be vulnerable. A mitigation is possible but undesirable due to heavy
performance impacts.
XSA-267 could be fixed as there is a fixed kernel in Jessie security.
The first patch for this can be applied directly, the second one relies
on code for XSA-254 (spectre / meltdown). Mitigation is possible by cpu
pinning to VMs.
XSA-263 depends on fixing XSA-254 too. The other constraints like kernel
and microcode are fixed already. There is no other mitigation known but
fixing the code and firmware.
XSA-254 aka Spectre / Meltdown is still open for Xen but never made it
to the Debian security tracker for Xen, surprisingly. Currently, there
is no mitigation for CVE-2017-5753 (Spectre variant 1, SP1) For SP2,
Spectre CVE-2017-5715 there are the BTI fixes in upstream. For SP3, aka
Meltdown, CVE-2017-5754, running guests in PVH or HVM context. PV guests
could be run under special shim hypervisors available for Xen 4.10 and
up. There are shim back ports for Xen 4.8. Alternatively, there are the
page table isolation (PTI) patches that mitigate the Meltdown issue too.
Sadly, the PTI patches rely on the BTI patched code. There are 43 BTI
upstream patches for Xen 4.6 that need to be back ported.
These 43 patches to fix SP2 introduce the code basis for XSA-279,
XSA-273, XSA 267 and XSA-263 listed above.
The major question is: Are we traveling this road, implementing / back
porting the BTI fixes for XSA-254?
If so, the other fixes are probably not to much work. But implementing
BTI fixes is a long and unknown road. I cannot give any reliable numbers
how much work that would be. But anybody can estimate that this will be
much more than a few days to get done. There might be a shortcut for
some patches by back porting independent code chunks like I did with the
grant table code for Xen 4.1 (Wheezy) but for now, I can't oversee all
of this in total yet and I doubt that there will be a great shortcut to
be found.
Another option would be backporting the Xen
4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (and following) package from
Stretch to Jessie. This could be done including testing within a few
hours, maybe a little more than a working day or less if we abandon Xen
4.4.
Along with Xen 4.8 there might be some further impacts as e.g. libxen
changes, too. This might break some unpackaged software depending on this.
As changing the minor version of a package like Xen is kind of a break
in expectations people might have in LTS. Therefor, I'd like to ask for
feedback on both options and your opinion, which way to get to a solution.Â
Don't get me wrong, I am not unwilling to work on a back port of these
fixes but this will not be done within a short amount of time and
honestly I cannot guarantee that there will be a 100% solution. A
Stretch back port on the other hand could be ready very soon.
Kind regards
Peter
--
Peter Dreuw
Teamleiter
Tel.: +49 2166 9901-155
Fax: +49 2166 9901-100
E-Mail: ***@credativ.de
gpg fingerprint: 33B0 82D3 D103 B594 E7D3 53C7 FBB6 3BD0 DB32 ED41
http://www.credativ.de/
**********************************************
Jetzt neu:
Elephant Shed - PostgreSQL Appliance
PostgreSQL und alles was dazugehört
Von Backup ÃŒber Monitoring bis Reporting:
https://elephant-shed.io/index.de.html
**********************************************
credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Trompeterallee 108, 41189 Mönchengladbach
GeschÀftsfÌhrung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
Unser Umgang mit personenbezogenen Daten unterliegt
folgenden Bestimmungen: https://www.credativ.de/datenschutz
as you might have noticed, we fixed many issues with Xen 4.4 in Jessie.
cf. https://security-tracker.debian.org/tracker/source-package/xen
With this, all current "trivial" cases are closed (ignoring the few arm
already marked no-DSA before the LTS support stepped in) These might be
easy to fix at some point but currently I don't see the real point in
spending too much time on these.
The open cases are
TEMP-0000000-20B25C = XSA-280
TEMP-0000000-319B92 = XSA-279
TEMP-0000000-EC90C0 = XSA-275
CVE-2018-3620, CVE-2018-3646 = XSA-273
CVE-2018-3665 = XSA-267
CVE-2018-3639 = XSA-263
CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 = XSA-254 - which is not in
the Debian tracker for Xen, actually...
While XSA-275 and XSA280 might be easy to apply the upstream fix,
XSA-279 does not apply to the current Xen 4.4 state. XSA-279 does only
affect after implementing the XSA-254 (Meltdown) fixes. From this
perspective. XSA-279 could be safely ignored until the back ports are done.
XSA-273 could be fixed only if microcode and kernel is fixed too.
According to the bug tracker, for the kernel this is not the case yet.
The patch relies on the code fixing spectre / meltdown issues so it had
to be postponed until these fixes have been ported. Only Intel CPU might
be vulnerable. A mitigation is possible but undesirable due to heavy
performance impacts.
XSA-267 could be fixed as there is a fixed kernel in Jessie security.
The first patch for this can be applied directly, the second one relies
on code for XSA-254 (spectre / meltdown). Mitigation is possible by cpu
pinning to VMs.
XSA-263 depends on fixing XSA-254 too. The other constraints like kernel
and microcode are fixed already. There is no other mitigation known but
fixing the code and firmware.
XSA-254 aka Spectre / Meltdown is still open for Xen but never made it
to the Debian security tracker for Xen, surprisingly. Currently, there
is no mitigation for CVE-2017-5753 (Spectre variant 1, SP1) For SP2,
Spectre CVE-2017-5715 there are the BTI fixes in upstream. For SP3, aka
Meltdown, CVE-2017-5754, running guests in PVH or HVM context. PV guests
could be run under special shim hypervisors available for Xen 4.10 and
up. There are shim back ports for Xen 4.8. Alternatively, there are the
page table isolation (PTI) patches that mitigate the Meltdown issue too.
Sadly, the PTI patches rely on the BTI patched code. There are 43 BTI
upstream patches for Xen 4.6 that need to be back ported.
These 43 patches to fix SP2 introduce the code basis for XSA-279,
XSA-273, XSA 267 and XSA-263 listed above.
The major question is: Are we traveling this road, implementing / back
porting the BTI fixes for XSA-254?
If so, the other fixes are probably not to much work. But implementing
BTI fixes is a long and unknown road. I cannot give any reliable numbers
how much work that would be. But anybody can estimate that this will be
much more than a few days to get done. There might be a shortcut for
some patches by back porting independent code chunks like I did with the
grant table code for Xen 4.1 (Wheezy) but for now, I can't oversee all
of this in total yet and I doubt that there will be a great shortcut to
be found.
Another option would be backporting the Xen
4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (and following) package from
Stretch to Jessie. This could be done including testing within a few
hours, maybe a little more than a working day or less if we abandon Xen
4.4.
Along with Xen 4.8 there might be some further impacts as e.g. libxen
changes, too. This might break some unpackaged software depending on this.
As changing the minor version of a package like Xen is kind of a break
in expectations people might have in LTS. Therefor, I'd like to ask for
feedback on both options and your opinion, which way to get to a solution.Â
Don't get me wrong, I am not unwilling to work on a back port of these
fixes but this will not be done within a short amount of time and
honestly I cannot guarantee that there will be a 100% solution. A
Stretch back port on the other hand could be ready very soon.
Kind regards
Peter
--
Peter Dreuw
Teamleiter
Tel.: +49 2166 9901-155
Fax: +49 2166 9901-100
E-Mail: ***@credativ.de
gpg fingerprint: 33B0 82D3 D103 B594 E7D3 53C7 FBB6 3BD0 DB32 ED41
http://www.credativ.de/
**********************************************
Jetzt neu:
Elephant Shed - PostgreSQL Appliance
PostgreSQL und alles was dazugehört
Von Backup ÃŒber Monitoring bis Reporting:
https://elephant-shed.io/index.de.html
**********************************************
credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Trompeterallee 108, 41189 Mönchengladbach
GeschÀftsfÌhrung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
Unser Umgang mit personenbezogenen Daten unterliegt
folgenden Bestimmungen: https://www.credativ.de/datenschutz