On 01/19/2018 06:17 AM, Pasi Kärkkäinen wrote:
> On Thu, Jan 18, 2018 at 11:48:35AM -0600, Kevin Stange wrote:
>> Hi,
>>
>
> Hi,
>
>> I am very sorry to do this on short notice, but obviously Meltdown and
>> Spectre are a lot more than anyone was really expecting to come down the
>> pipeline. Xen 4.4 has been EOL upstream for about a year now and I have
>> personally been reviewing and backporting patches based on the 4.5
>> versions made available upstream.
>>
>> Given that 4.5 is now also reaching EOL, backporting to 4.4 will become
>> harder and I've already taken steps to vacate 4.4 in my own environment
>> ASAP. Spectre and Meltdown patches most likely will only officially
>> reach 4.6 and are very complicated. Ultimately, I don't think this is a
>> constructive use of my time. Therefore, I will NOT be continuing to
>> provide updated Xen 4.4 builds any longer through CentOS Virt SIG. If
>> someone else would like to take on the job, you're welcome to try. Pop
>> by #centos-virt on Freenode to talk to us there if you're interested.
>>
>> For short term mitigation of the Meltdown issue on 4.4 with PV domains,
>> your best bet is probably to use the "Vixen" shim solution, which George
>> has put into the xen-44 package repository per his email from two days
>> ago. Vixen allows you to run PV domains inside HVM guest containers. It
>> does not protect the guest from itself, but protects the domains from
>> each other. Long term, your best bet is to try to get up to a new
>> version of Xen that is under upstream security support, probably 4.8.
>
> Oracle VM 3.4 product is based on Xen 4.4, and they seem to have backported the fixes already..
>
> It looks like those src.rpms have {CVE-2017-5753} {CVE-2017-5715} {CVE-2017-5754} fixes included.
>
> https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/thread.html
> https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000816.html
> https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000817.html
>
> http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-155.0.12.el6.src.rpm
> http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-105.0.30.el6.src.rpm
That's impressive but dubious as Xen has not released any fixes for
CVE-2017-5753 or CVE-2017-5715 even for 4.10 yet.
--
Kevin Stange
Chief Technology Officer
Steadfast | Managed Infrastructure, Datacenter and Cloud Services
800 S Wells, Suite 190 | Chicago, IL 60607
312.602.2689 X203 | Fax: 312.602.2688
kevin@xxxxxxxxxxxxx | www.steadfast.net
_______________________________________________
CentOS-virt mailing list
CentOS-virt@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos-virt
