[CentOS-virt] Xen 4.4 Immediate EOL
Pasi Kärkkäinen
pasik at iki.fi
Fri Jan 19 12:17:21 UTC 2018
On Thu, Jan 18, 2018 at 11:48:35AM -0600, Kevin Stange wrote:
> Hi,
>
Hi,
> I am very sorry to do this on short notice, but obviously Meltdown and
> Spectre are a lot more than anyone was really expecting to come down the
> pipeline. Xen 4.4 has been EOL upstream for about a year now and I have
> personally been reviewing and backporting patches based on the 4.5
> versions made available upstream.
>
> Given that 4.5 is now also reaching EOL, backporting to 4.4 will become
> harder and I've already taken steps to vacate 4.4 in my own environment
> ASAP. Spectre and Meltdown patches most likely will only officially
> reach 4.6 and are very complicated. Ultimately, I don't think this is a
> constructive use of my time. Therefore, I will NOT be continuing to
> provide updated Xen 4.4 builds any longer through CentOS Virt SIG. If
> someone else would like to take on the job, you're welcome to try. Pop
> by #centos-virt on Freenode to talk to us there if you're interested.
>
> For short term mitigation of the Meltdown issue on 4.4 with PV domains,
> your best bet is probably to use the "Vixen" shim solution, which George
> has put into the xen-44 package repository per his email from two days
> ago. Vixen allows you to run PV domains inside HVM guest containers. It
> does not protect the guest from itself, but protects the domains from
> each other. Long term, your best bet is to try to get up to a new
> version of Xen that is under upstream security support, probably 4.8.
>
Oracle VM 3.4 product is based on Xen 4.4, and they seem to have backported the fixes already..
It looks like those src.rpms have {CVE-2017-5753} {CVE-2017-5715} {CVE-2017-5754} fixes included.
https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/thread.html
https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000816.html
https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000817.html
http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-155.0.12.el6.src.rpm
http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-105.0.30.el6.src.rpm
-- Pasi
> --
> Kevin Stange
> Chief Technology Officer
> Steadfast | Managed Infrastructure, Datacenter and Cloud Services
> 800 S Wells, Suite 190 | Chicago, IL 60607
> 312.602.2689 X203 | Fax: 312.602.2688
> kevin at steadfast.net | www.steadfast.net
More information about the CentOS-virt
mailing list