Hi,
On 10/19/22 21:55, Moritz Muehlenhoff wrote:
>>> For the latest set of Xen issues my estimate is that we can postpone
>>> them until the next batch, they seem all of moderate/limited impact.
>>> But let me know if you think otherwise.
>>
>> I agree. Let's do them together with the new stuff that's planned for
>> Nov 1st, https://xenbits.xen.org/xsa/
>
> Ack, I've updated the Security Tracker.
I'm having a look at this now, and while writing the changelog entry, I
run into the following thing:
XSA-403 has 4 CVE numbers. AFAIUI the first two are about the fixes done
to Linux, and the other two are about changes to Xen. Shouldn't the
Debian security tracker reflect that?
CVE-2022-26365 CVE-2022-33740 -> src:linux only ?
CVE-2022-33741 CVE-2022-33742 -> src:xen only ?
And for XSA-403, at first upstream was unsure about what to do for older
Xen versions where the patches would be an ABI breaker. In the end, they
did apply the more coarse-grained patch to at least offer some kind of
mitigation in case a user wants to use it.
So, the changelog line I'm including now will just be:
- Linux disk/nic frontends data leaks
XSA-403 CVE-2022-33741 CVE-2022-33742
HTH,
Hans
