[CentOS-virt] Xen 4.4 Immediate EOL

Fri Jan 19 12:17:21 UTC 2018
Pasi Kärkkäinen <pasik at iki.fi>

On Thu, Jan 18, 2018 at 11:48:35AM -0600, Kevin Stange wrote:
> Hi,
>

Hi,
 
> I am very sorry to do this on short notice, but obviously Meltdown and
> Spectre are a lot more than anyone was really expecting to come down the
> pipeline.  Xen 4.4 has been EOL upstream for about a year now and I have
> personally been reviewing and backporting patches based on the 4.5
> versions made available upstream.
> 
> Given that 4.5 is now also reaching EOL, backporting to 4.4 will become
> harder and I've already taken steps to vacate 4.4 in my own environment
> ASAP.  Spectre and Meltdown patches most likely will only officially
> reach 4.6 and are very complicated.  Ultimately, I don't think this is a
> constructive use of my time.  Therefore, I will NOT be continuing to
> provide updated Xen 4.4 builds any longer through CentOS Virt SIG.  If
> someone else would like to take on the job, you're welcome to try.  Pop
> by #centos-virt on Freenode to talk to us there if you're interested.
> 
> For short term mitigation of the Meltdown issue on 4.4 with PV domains,
> your best bet is probably to use the "Vixen" shim solution, which George
> has put into the xen-44 package repository per his email from two days
> ago. Vixen allows you to run PV domains inside HVM guest containers.  It
> does not protect the guest from itself, but protects the domains from
> each other.  Long term, your best bet is to try to get up to a new
> version of Xen that is under upstream security support, probably 4.8.
> 

Oracle VM 3.4 product is based on Xen 4.4, and they seem to have backported the fixes already.. 

It looks like those src.rpms have {CVE-2017-5753} {CVE-2017-5715} {CVE-2017-5754} fixes included.

https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/thread.html
https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000816.html
https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000817.html

http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-155.0.12.el6.src.rpm
http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-105.0.30.el6.src.rpm


-- Pasi

> -- 
> Kevin Stange
> Chief Technology Officer
> Steadfast | Managed Infrastructure, Datacenter and Cloud Services
> 800 S Wells, Suite 190 | Chicago, IL 60607
> 312.602.2689 X203 | Fax: 312.602.2688
> kevin at steadfast.net | www.steadfast.net