Aha! On 02/11/2022 21:53, Salvatore Bonaccorso wrote: > Hi, > > On Wed, Nov 02, 2022 at 08:02:26PM +0100, Hans van Kranenburg wrote: >> Hi, >> >> On 10/19/22 21:55, Moritz Muehlenhoff wrote: >>>>> For the latest set of Xen issues my estimate is that we can postpone >>>>> them until the next batch, they seem all of moderate/limited impact. >>>>> But let me know if you think otherwise. >>>> >>>> I agree. Let's do them together with the new stuff that's planned for >>>> Nov 1st, https://xenbits.xen.org/xsa/ >>> >>> Ack, I've updated the Security Tracker. >> >> I'm having a look at this now, and while writing the changelog entry, I >> run into the following thing: >> >> XSA-403 has 4 CVE numbers. AFAIUI the first two are about the fixes done >> to Linux, and the other two are about changes to Xen. Shouldn't the >> Debian security tracker reflect that? >> >> CVE-2022-26365 CVE-2022-33740 -> src:linux only ? >> CVE-2022-33741 CVE-2022-33742 -> src:xen only ? > > Speaking for src:linux I do not think we need to change the tracking: > > CVE-2022-26365: 2f446ffe9d73 ("xen/blkfront: fix leaking data in shared > pages") > CVE-2022-33740: 307c8de2b023 ("xen/netfront: fix leaking data in shared > pages") > CVE-2022-33741: 4491001c2e0f ("xen/netfront: force data bouncing when backend > is untrusted") > CVE-2022-33742: 2400617da7ee ("xen/blkfront: force data bouncing when backend > is untrusted")
Riiight. Thanks, now I get why I cannot find any CVE number related to XSA-403 listed in the Xen upstream changes (at least for 4.14 which I'm working on now). They're all over there at the Linux side. Hans