[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] [Xen-devel] Security patches

Hi Ian,

Thanks for your reply. Sorry to bother you with this. I am bit confused and so I am asking to make clear myself.

Reg CVE-2012-2934 - http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html Is Xen 3.4 too affected with this vulnerable? If so I couldn't find the patch for xen 3.4 and it does exit for xen 4.x only.

I don't how to apply the following patches since I have created rpm with patches applied that included as downloadable file. But for these patches I am not seeing any downloadable file.


If you can clear this for me that would be great :)

I hope that I am replying in correct way.

On Thu, Sep 6, 2012 at 2:26 PM, Ian Campbell <Ian.Campbell@xxxxxxxxxx> wrote:
On Thu, 2012-09-06 at 09:31 +0100, kk s wrote:
> Hi,
> Can anyone give the patch file download link for the below xen
> security for xen version 3.4 and 4.1? Since I couldn't find the
> downloadable patch file for some of the CVE's.
> CVE-2012-0029   - http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html  (There is no download link for both xen 3.4 and 4.1)
> CVE-2012-2934   - http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html  (There is no patch file to download of xen 3.4)
> CVE-2012-3432   - http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html  (There is no download link for both xen 3.4 and 4.1)
> CVE-2012-3433   - http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html  (There is no download link for both xen 3.4 and 4.1)

It looks to me like there are changeset references and/or patches for
all of these in the advisories. You might find it easier to follow:

You can also always look in the appropriate xen-X.Y-testing.hg tree for
the fix.

> CVE-2012-3497   - http://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.html  (There is no download link for patch)

This is quite clearly explained in the advisory.

> Also I have some doubts for the below CVE's.
> CVE-2012-3496  - Is this vulnerability affected for xen 4.x only or it
> does include for xen 3.4 too? Since the patch name was
> xsa14-xen-3.4-and-4.x.patch
> http://lists.xen.org/archives/html/xen-announce/2012-09/msg00002.html

Yes, it looks like this effects 3.4 too.

> CVE-2012-3516  - Shall I apply this unstable for patch for xen4.2 too?
> http://lists.xen.org/archives/html/xen-announce/2012-09/msg00004.html

The advisory says "Xen-unstable, including Xen 4.2 release candidates
are vulnerable to this issue.", so yes, obviously.

In the future please carefully read the advisories before asking lots of
questions, almost everything you have asked is addressed in the advisory
texts AFAICT.


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.