Skip to content
GitLab
Closed
Issue created by Hans van Kranenburg@knorrieOwner31 of 31 checklist items completed31/31 checklist items

Xen 4.14 security update for Debian stable (4.14.5+24-g87d90d51-1)

Xen 4.14 security update for Bullseye

  • Create a salsa gitlab issue about the package update, where we will paste the result of this checklist into when we're done, for hysterical purposes.
  • If stable/security update: Inform security team about the plans
  • Look at upstream, what's in the staging-x.y branch now?
  • Wait for upstream tests to succeed and for stable-x.yz to advance, see osstest messages in https://lists.xenproject.org/archives/html/xen-devel/
  • pick upstream commit that we're going to advance the packaging to -> RELEASE-4.14.5-24-g87d90d511c87
  • choose full target version number -> 4.14.5+24-g87d90d511c-1
  • fetch upstream into packaging working copy
  • look through new upstream changes, assemble list of XSA info for the changelog -> already in final format! see also https://xenbits.xen.org/xsa/ 
  * Update to new upstream version 4.14.5+24-g87d90d511c, which also contains security fixes
    for the following issues:
    - x86 pv: Race condition in typeref acquisition
      XSA-401 CVE-2022-26362
    - x86 pv: Insufficient care with non-coherent mappings
      XSA-402 CVE-2022-26363 CVE-2022-26364
    - x86: MMIO Stale Data vulnerabilities
      XSA-404 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166
    - Retbleed - arbitrary speculative code execution with return instructions
      XSA-407 CVE-2022-23816 CVE-2022-23825 CVE-2022-29900
  * Note that the following XSA are not listed, because...
    - XSA-403 patches are not applied to stable branch lines
    - XSA-405 and XSA-406 have patches for the Linux kernel.
  • create upstream/xyz tag, e.g. git tag -s upstream/4.14.4+74-gd7b22226b5 -m "Tag current upstream stable-4.14 branch for Debian baseline" d7b22226b5
  • look at the current state of the packaging repo; do we have the right starting point? (like, the debian/xyz tag of previous upload) -> wip/bullseye-security
  • Do gdr new-upstream magic -> git debrebase new-upstream 4.14.5+24-g87d90d511c-1
  • Do we need to do extra things? Like, small targeted fix for a packaging bug?
  • Write the debian/changelog entry. Just look at the previous ones for formatting examples.
  • Push the upstream/xyz tag to salsa
  • Push the wip branch to salsa, and let gitlab-ci build it
  • Create orig.tar.whatever -> git-deborig
  • Have gdr update the debian/patches stuff git-debrebase make-patches
  • Do a local build
  • Smoke test, e.g. reboot a physical server with it, move some domU to it, do some live migrate, some restart etc.
  • Take a proper break
  • Triple check debian/changelog for stupid errors
  • Upload signed result somewhere where security team can grab it. https://syrinx.knorrie.org/~knorrie/tmp/xen/xen_4.14.5+24-g87d90d511c-1_amd64/
  • Do git debrebase conclude to end the debrebase session
  • Manually create the debian/4.14.5+24-g87d90d511c-1 tag git tag -s debian/4.14.5+24-g87d90d511c-1 -m "xen release 4.14.5+24-g87d90d511c-1 for bullseye-security"
  • Push wip/bullseye-security branch to salsa
  • 'Merge' to 'real' branch (git checkout bullseye-security; git merge wip/bullseye-security)
  • Push bullseye-security branch to salsa. This must fast-forward, otherwise you did something wrong somewhere.
  • Reply on email to security team.
  • Wait for security team to sponsor the upload and send out the DSA
  • Send last reply with a yay thanks message
  • Move this whole section into the salsa gitlab issue and remove it here.
Edited by Hans van Kranenburg