Hi,
On Wed, Nov 02, 2022 at 08:02:26PM +0100, Hans van Kranenburg wrote:
> Hi,
>
> On 10/19/22 21:55, Moritz Muehlenhoff wrote:
> >>> For the latest set of Xen issues my estimate is that we can postpone
> >>> them until the next batch, they seem all of moderate/limited impact.
> >>> But let me know if you think otherwise.
> >>
> >> I agree. Let's do them together with the new stuff that's planned for
> >> Nov 1st, https://xenbits.xen.org/xsa/
> >
> > Ack, I've updated the Security Tracker.
>
> I'm having a look at this now, and while writing the changelog entry, I
> run into the following thing:
>
> XSA-403 has 4 CVE numbers. AFAIUI the first two are about the fixes done
> to Linux, and the other two are about changes to Xen. Shouldn't the
> Debian security tracker reflect that?
>
> CVE-2022-26365 CVE-2022-33740 -> src:linux only ?
> CVE-2022-33741 CVE-2022-33742 -> src:xen only ?
Speaking for src:linux I do not think we need to change the tracking:
CVE-2022-26365: 2f446ffe9d73 ("xen/blkfront: fix leaking data in shared pages")
CVE-2022-33740: 307c8de2b023 ("xen/netfront: fix leaking data in shared pages")
CVE-2022-33741: 4491001c2e0f ("xen/netfront: force data bouncing when backend
is untrusted")
CVE-2022-33742: 2400617da7ee ("xen/blkfront: force data bouncing when backend
is untrusted")
Regards,
Salvatore
