Xen project Mailing List

Re: [Xen-devel] Xen 3.4.x Backports

To: Jonathan Tripathy <jonnyt@xxxxxxxxxxx>

From: Ian Campbell <Ian.Campbell@xxxxxxxxxx>

Date: Wed, 29 Feb 2012 09:53:18 +0000

Cc: "keith.coleman@xxxxxxxxxxxxx" <keith.coleman@xxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Wed, 29 Feb 2012 09:53:46 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Tue, 2012-02-28 at 23:36 +0000, Jonathan Tripathy wrote: > Hi Keith, On a related note it would be very useful if http://wiki.xen.org/wiki/Security_Announcements could be updated when security fixes corresponding to Xen.org security vulnerability disclosures are added to the 3.4 branch. Keith, can you do that? If not then if you drop me a line each time I'll take care of it for you. > CVE-2011-2901: > http://www.openwall.com/lists/oss-security/2011/09/02/2 > > The patch performs the following: > - (((unsigned long)(addr) < (1UL<<48)) || \ > + (((unsigned long)(addr) < (1UL<<47)) || \ > > I see that the Xen security advisory says that only hypervisors 3.3 or > earlier are affected. However, I note that in later versions of Xen, > the line changed in the patch remains untouched. Any ideas why this is > the case? The problem has been fixed in xen-unstable. However only 3.3 and earlier were actually vulnerable due to the issue and so it has not been backported the stable branches. [...] I've left the others for Keith to comment on as 3.4 maintainer. Ian _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

References:

[Xen-devel] Xen 3.4.x Backports
- From: Jonathan Tripathy

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.