On Sat, 18 May 2019 at 12:18, Hans van Kranenburg <h...@knorrie.org> wrote:
> Hi, > > On 5/17/19 5:21 PM, Wiebe Cazemier wrote: > > Package: xen-hypervisor-4.8-amd64 > > Version: 4.8.5+shim4.10.2+xsa282-1+deb9u11 > > > > All Xen Hypervisor packages also need patches against the Intel MDS bug, > > same as https://www.debian.org/security/2019/dsa-4444. > > > > http://xenbits.xen.org/xsa/advisory-297.html > > Yes, they do. > > For Xen 4.8 and 4.11, we're currently waiting for the related changes in > the upstream code branches to complete the regular test process at Xen > (compile, run on all different hardware etc). > > Only at the moment that the advisary is published, the patches are > committed to the public development branches. After that, the tests do > more rigorous regression testing than the developer writing them could > do. We tend to wait for this to succeed. E.g. as part of the packaging > team, I can test that the result boots on amd64, but I have no idea > myself if it also runs on arm etc. > > If you're desperately in need for an intermediate version, and you're > able to build debian packages yourself, then I can point you at > something that I'm running myself now. > > Regards, > Hans > No rush in that sense. The bugreport was precipitated by the lack of any mention of Xen in Ubuntu's en Debian's security announcements, while Qemu and libvirt were.