On 01/19/2018 06:17 AM, Pasi Kärkkäinen wrote: > On Thu, Jan 18, 2018 at 11:48:35AM -0600, Kevin Stange wrote: >> Hi, >> > > Hi, > >> I am very sorry to do this on short notice, but obviously Meltdown and >> Spectre are a lot more than anyone was really expecting to come down the >> pipeline. Xen 4.4 has been EOL upstream for about a year now and I have >> personally been reviewing and backporting patches based on the 4.5 >> versions made available upstream. >> >> Given that 4.5 is now also reaching EOL, backporting to 4.4 will become >> harder and I've already taken steps to vacate 4.4 in my own environment >> ASAP. Spectre and Meltdown patches most likely will only officially >> reach 4.6 and are very complicated. Ultimately, I don't think this is a >> constructive use of my time. Therefore, I will NOT be continuing to >> provide updated Xen 4.4 builds any longer through CentOS Virt SIG. If >> someone else would like to take on the job, you're welcome to try. Pop >> by #centos-virt on Freenode to talk to us there if you're interested. >> >> For short term mitigation of the Meltdown issue on 4.4 with PV domains, >> your best bet is probably to use the "Vixen" shim solution, which George >> has put into the xen-44 package repository per his email from two days >> ago. Vixen allows you to run PV domains inside HVM guest containers. It >> does not protect the guest from itself, but protects the domains from >> each other. Long term, your best bet is to try to get up to a new >> version of Xen that is under upstream security support, probably 4.8. > > Oracle VM 3.4 product is based on Xen 4.4, and they seem to have backported the fixes already.. > > It looks like those src.rpms have {CVE-2017-5753} {CVE-2017-5715} {CVE-2017-5754} fixes included. > > https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/thread.html > https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000816.html > https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000817.html > > http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-155.0.12.el6.src.rpm > http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-105.0.30.el6.src.rpm That's impressive but dubious as Xen has not released any fixes for CVE-2017-5753 or CVE-2017-5715 even for 4.10 yet. -- Kevin Stange Chief Technology Officer Steadfast | Managed Infrastructure, Datacenter and Cloud Services 800 S Wells, Suite 190 | Chicago, IL 60607 312.602.2689 X203 | Fax: 312.602.2688 kevin at steadfast.net | www.steadfast.net