Xen 4.17 security update Sep 2023 for Debian unstable and stable
Because of XSA-437 (CVE-2023-34321) and XSA-438 (due Sep 19) -> Postponed to Oct 11 or 12, because the 12.2 point release would go out on Oct 7-9 and we want a security update for the Oct 10 XSA issues.
https://xenbits.xen.org/xsa/ https://security-tracker.debian.org/tracker/source-package/xen
And then, we can put a ~deb11u1 into Bookworm, either via the 12.2 point release or via the security channel.
Xen 4.17.2+55-g0b56bed864-1 for Debian unstable
This starts off as a copy of the 'last known good' checklist. Update stuff on the go, kthxbye
-
Create a salsa gitlab issue about the package update, where we will paste the result of this checklist into when we're done, for historical purposes. #62 (closed) -
Look at upstream, what's in the staging-x.y branch now? -
Wait for upstream tests to succeed and for stable-x.yz to advance, see osstest messages in https://lists.xenproject.org/archives/html/xen-devel/ -
pick upstream commit that we're going to advance the packaging to -> RELEASE-4.17.2-55-g0b56bed864ca
-
choose full target version number -> 4.17.2+55-g0b56bed864-1
-
Find out if there's additional packaging changes or things related to open BTS bugs we need to do, and insert checklist items for them at the right place. -
fetch upstream into packaging working copy -
look through new upstream changes, assemble list of XSA info for the changelog -> already in final format! see also https://xenbits.xen.org/xsa/
* Update to new upstream version 4.17.2+55-g0b56bed864, which also contains
security fixes for the following issues:
- arm32: The cache may not be properly cleaned/invalidated
XSA-437 CVE-2023-34321
- top-level shadow reference dropped too early for 64-bit PV guests
XSA-438 CVE-2023-34322
- x86/AMD: Divide speculative information leak
XSA-439 CVE-2023-20588
- xenstored: A transaction conflict can crash C Xenstored
XSA-440 CVE-2023-34323
- x86/AMD: missing IOMMU TLB flushing
XSA-442 CVE-2023-34326
- Multiple vulnerabilities in libfsimage disk handling
XSA-443 CVE-2023-34325
- x86/AMD: Debug Mask handling
XSA-444 CVE-2023-34327 CVE-2023-34328
* Note that the following XSA are not listed, because...
- XSA-441 has patches for the Linux kernel.
-
create upstream/xyz tag, git tag -s upstream/4.17.2+55-g0b56bed864 -m "Tag current upstream stable-4.17 branch for Debian baseline" 0b56bed864
-
look at the current state of the packaging repo; do we have the right starting point? (like, the debian/xyz tag of previous upload) -
Switch to a work in progress branch, like wip/sid
(or, hard resetwip/sid
to matchmaster
) -
Do gdr new-upstream magic -> git debrebase new-upstream 4.17.2+55-g0b56bed864-1
-
Write the debian/changelog
entry. Just look at the previous ones for formatting examples. -
Set changelog to release to unstable: dch --release --distribution unstable
-
Push the upstream/xyz tag to salsa git push <remote> upstream/4.17.2+55-g0b56bed864
-
Launder branch: git debrebase
-
Have gdr update the debian/patches stuff git debrebase make-patches
-
Push the wip branch to salsa, and let gitlab-ci also build it -
Create orig.tar.whatever -> git-deborig
-
Do a local build -
Smoke test, e.g. reboot a physical server with it, move some domU to it, do some live migrate, some restart etc. -
Take a proper break -
Check for any failures in salsa pipeline -
Triple check debian/changelog for stupid errors -
Do git debrebase conclude
and push to salsa if you're not the one doing the next step -
Upload: dgit push-source
. This will also finish the git-debrebase process. -
Merge WIP branch that is now finalized into the real branch (e.g. git checkout master; git merge --ff-only wip/sid
) so that whoever looks in our repo always sees something that corresponds to the current package in Debian. -
Push branch with -o ci.skip
-
Push archive/debian/sdf and debian/xyz tag to salsa -
merge master to wip/sid using --ff-only
and push to salsa -
Wait for ACCEPTED -
Wait for buildds to complete https://buildd.debian.org/status/package.php?p=xen -
Wait for the new version to actually end up in unstable -
Move all of this to the salsa issue and remove it from the pad
Edited by Maximilian Engelhardt