On Sat, 18 May 2019 at 12:18, Hans van Kranenburg wrote:
> Hi,
>
> On 5/17/19 5:21 PM, Wiebe Cazemier wrote:
> > Package: xen-hypervisor-4.8-amd64
> > Version: 4.8.5+shim4.10.2+xsa282-1+deb9u11
> >
> > All Xen Hypervisor packages also need patches against the Intel MDS bug,
> > same as https://www.debian.org/security/2019/dsa-.
> >
> > http://xenbits.xen.org/xsa/advisory-297.html
>
> Yes, they do.
>
> For Xen 4.8 and 4.11, we're currently waiting for the related changes in
> the upstream code branches to complete the regular test process at Xen
> (compile, run on all different hardware etc).
>
> Only at the moment that the advisary is published, the patches are
> committed to the public development branches. After that, the tests do
> more rigorous regression testing than the developer writing them could
> do. We tend to wait for this to succeed. E.g. as part of the packaging
> team, I can test that the result boots on amd64, but I have no idea
> myself if it also runs on arm etc.
>
> If you're desperately in need for an intermediate version, and you're
> able to build debian packages yourself, then I can point you at
> something that I'm running myself now.
>
> Regards,
> Hans
>
No rush in that sense. The bugreport was precipitated by the lack of any
mention of Xen in Ubuntu's en Debian's security announcements, while Qemu
and libvirt were.
