Skip to content

Xen 4.17 security update Sep 2023 for Debian unstable and stable

Because of XSA-437 (CVE-2023-34321) and XSA-438 (due Sep 19) -> Postponed to Oct 11 or 12, because the 12.2 point release would go out on Oct 7-9 and we want a security update for the Oct 10 XSA issues.

https://xenbits.xen.org/xsa/ https://security-tracker.debian.org/tracker/source-package/xen

And then, we can put a ~deb11u1 into Bookworm, either via the 12.2 point release or via the security channel.


Xen 4.17.2+55-g0b56bed864-1 for Debian unstable

This starts off as a copy of the 'last known good' checklist. Update stuff on the go, kthxbye

  • Create a salsa gitlab issue about the package update, where we will paste the result of this checklist into when we're done, for historical purposes. #62 (closed)
  • Look at upstream, what's in the staging-x.y branch now?
  • Wait for upstream tests to succeed and for stable-x.yz to advance, see osstest messages in https://lists.xenproject.org/archives/html/xen-devel/
  • pick upstream commit that we're going to advance the packaging to -> RELEASE-4.17.2-55-g0b56bed864ca
  • choose full target version number -> 4.17.2+55-g0b56bed864-1
  • Find out if there's additional packaging changes or things related to open BTS bugs we need to do, and insert checklist items for them at the right place.
  • fetch upstream into packaging working copy
  • look through new upstream changes, assemble list of XSA info for the changelog -> already in final format! see also https://xenbits.xen.org/xsa/
  * Update to new upstream version 4.17.2+55-g0b56bed864, which also contains
    security fixes for the following issues:
    - arm32: The cache may not be properly cleaned/invalidated
      XSA-437 CVE-2023-34321
    - top-level shadow reference dropped too early for 64-bit PV guests
      XSA-438 CVE-2023-34322
    - x86/AMD: Divide speculative information leak
      XSA-439 CVE-2023-20588
    - xenstored: A transaction conflict can crash C Xenstored
      XSA-440 CVE-2023-34323
    - x86/AMD: missing IOMMU TLB flushing
      XSA-442 CVE-2023-34326
    - Multiple vulnerabilities in libfsimage disk handling
      XSA-443 CVE-2023-34325
    - x86/AMD: Debug Mask handling
      XSA-444 CVE-2023-34327 CVE-2023-34328
  * Note that the following XSA are not listed, because...
    - XSA-441 has patches for the Linux kernel.
  • create upstream/xyz tag, git tag -s upstream/4.17.2+55-g0b56bed864 -m "Tag current upstream stable-4.17 branch for Debian baseline" 0b56bed864
  • look at the current state of the packaging repo; do we have the right starting point? (like, the debian/xyz tag of previous upload)
  • Switch to a work in progress branch, like wip/sid (or, hard reset wip/sid to match master)
  • Do gdr new-upstream magic -> git debrebase new-upstream 4.17.2+55-g0b56bed864-1
  • Write the debian/changelog entry. Just look at the previous ones for formatting examples.
  • Set changelog to release to unstable: dch --release --distribution unstable
  • Push the upstream/xyz tag to salsa git push <remote> upstream/4.17.2+55-g0b56bed864
  • Launder branch: git debrebase
  • Have gdr update the debian/patches stuff git debrebase make-patches
  • Push the wip branch to salsa, and let gitlab-ci also build it
  • Create orig.tar.whatever -> git-deborig
  • Do a local build
  • Smoke test, e.g. reboot a physical server with it, move some domU to it, do some live migrate, some restart etc.
  • Take a proper break
  • Check for any failures in salsa pipeline
  • Triple check debian/changelog for stupid errors
  • Do git debrebase conclude and push to salsa if you're not the one doing the next step
  • Upload: dgit push-source. This will also finish the git-debrebase process.
  • Merge WIP branch that is now finalized into the real branch (e.g. git checkout master; git merge --ff-only wip/sid) so that whoever looks in our repo always sees something that corresponds to the current package in Debian.
  • Push branch with -o ci.skip
  • Push archive/debian/sdf and debian/xyz tag to salsa
  • merge master to wip/sid using --ff-only and push to salsa
  • Wait for ACCEPTED
  • Wait for buildds to complete https://buildd.debian.org/status/package.php?p=xen
  • Wait for the new version to actually end up in unstable
  • Move all of this to the salsa issue and remove it from the pad
Edited by Maximilian Engelhardt