[CentOS-virt] Xen 4.4 Immediate EOL

Fri Jan 19 18:13:11 UTC 2018
John Haxby <jch at thehaxbys.co.uk>

On 19/01/18 17:58, Kevin Stange wrote:
> On 01/19/2018 06:17 AM, Pasi Kärkkäinen wrote:
>> On Thu, Jan 18, 2018 at 11:48:35AM -0600, Kevin Stange wrote:
>>> Hi,
>>>
>>
>> Hi,
>>  
>>> I am very sorry to do this on short notice, but obviously Meltdown and
>>> Spectre are a lot more than anyone was really expecting to come down the
>>> pipeline.  Xen 4.4 has been EOL upstream for about a year now and I have
>>> personally been reviewing and backporting patches based on the 4.5
>>> versions made available upstream.
>>>
>>> Given that 4.5 is now also reaching EOL, backporting to 4.4 will become
>>> harder and I've already taken steps to vacate 4.4 in my own environment
>>> ASAP.  Spectre and Meltdown patches most likely will only officially
>>> reach 4.6 and are very complicated.  Ultimately, I don't think this is a
>>> constructive use of my time.  Therefore, I will NOT be continuing to
>>> provide updated Xen 4.4 builds any longer through CentOS Virt SIG.  If
>>> someone else would like to take on the job, you're welcome to try.  Pop
>>> by #centos-virt on Freenode to talk to us there if you're interested.
>>>
>>> For short term mitigation of the Meltdown issue on 4.4 with PV domains,
>>> your best bet is probably to use the "Vixen" shim solution, which George
>>> has put into the xen-44 package repository per his email from two days
>>> ago. Vixen allows you to run PV domains inside HVM guest containers.  It
>>> does not protect the guest from itself, but protects the domains from
>>> each other.  Long term, your best bet is to try to get up to a new
>>> version of Xen that is under upstream security support, probably 4.8.
>>
>> Oracle VM 3.4 product is based on Xen 4.4, and they seem to have backported the fixes already.. 
>>
>> It looks like those src.rpms have {CVE-2017-5753} {CVE-2017-5715} {CVE-2017-5754} fixes included.
>>
>> https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/thread.html
>> https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000816.html
>> https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000817.html
>>
>> http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-155.0.12.el6.src.rpm
>> http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-105.0.30.el6.src.rpm
> 
> That's impressive but dubious as Xen has not released any fixes for
> CVE-2017-5753 or CVE-2017-5715 even for 4.10 yet.
> 

It's not that dubious since its mainly Konrad Wilk and Boris Ostrovsky
that have been doing most of that :)

OracleVM also has a grub2 backport although I haven't really looked at that.

jch