[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable
Steven Timm wrote: > On Thu, 4 Oct 2007, Fajar A. Nugraha wrote: > >> I believe kernels compiled for xen 3.0.3 can run on xen 3.1. So if >> you use : >> - Xen 3.1 >> - RHEL5 as domU or dom0 >> - same 64-bit or 32-bit for Xen/dom0/domU >> >> then you can use RHEL kernels. >> When you need to run 32 bit domU on the above scenario, I'd prefer to >> use 64-bit RHEL kernel with 32 bit userland. >> >> Regards, >> >> Fajar >> > > I guess what I am really trying to get at is the following: > What, if anything, of the Xen code base is built into > the kernel rpms that redhat 5 and friends distribute as kernel-xen > (for instance, kernel-xen-2.6.18-8.1.14.el5, just released > to patch the vulnerability that started this thread). Since you're talking about kernel vulnerabilities, you can look at kernel-2.6.18-8.1.14.el5.src.rpm .src.rpm. In particular, look at the Changelog and Patch, and you'll see something like Patch21263: linux-2.6-x86_64-entry-path-zero-extend-all-registers-after-ptrace.patch %changelog * Tue Sep 25 2007 Don Howard <dhoward@xxxxxxxxxx> [2.6.18-8.1.14.el5] - Revert changes back to 2.6.18-8.1.10. - [x86_64] Zero extend all registers after ptrace in 32bit entry path (Anton Arapov ) [297871] {CVE-2007-4573} It's not Xen-specific, so in regards to this vulnerability nothing from the Xen codebase is involved. > Is there anything that's version specific? Is there anything > that ties it to xen 3.0.3? Source1: xen-%{xen_hv_cset}.tar.bz2 In theory, since Xen-3.1 kernel is also based on 2.6.18, you PROBABLY could change this one with sources from Xen-3.1, and rebuild the .src.rpm. Haven't tried it though. > How can I look at the kernel config > files and tell the difference, if necessary? > > I went and got the kernels from xensource that were compiled with > xen 3.1.0 Or you could try it the other way around. Use Xen's source tarball, apply RH's kernel patches, and compile it. > because people on this list told me that this was required > to do what I wanted to do, namely 64bit dom0 plus 32bit PAE domU's. > I understand that a xen 3.0.3-compiled kernel could be a domU in this > setup but not a dom0. Is this understanding wrong? > RH kernels can run on xen 3.0.3 or xen 3.1, for dom0 or domU, as long as thy're the same bits (e.g all 64 bit, or all 32bit). Using vendor kernel has the advantage that they will provide ready-to-use security updates. Note, however, that xen.gz is included in kernel-xen. This has some implications : - On dom0, this means that if you want to use RHEL5 kernel-xen on xen 3.1, you have to manually edit grub.conf to use xen.gz from xen 3.1 instead of the one from kernel-xen. - On domU, generally you don't have to care whet dom0 is running. Whether xen 3.0.3 or xen 3.1, you can continue to use RH's kernel-xen. If you want to use 32bit PAE domU on 64 bit xen/dom0, then you HAVE to use xen 3.1 domU kernel. Generally I wouldn't bother, I'd simply use 64-bit kernel with 32-bit userland instead. Regards, Fajar _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |