On 19/01/18 17:58, Kevin Stange wrote: > On 01/19/2018 06:17 AM, Pasi Kärkkäinen wrote: >> On Thu, Jan 18, 2018 at 11:48:35AM -0600, Kevin Stange wrote: >>> Hi, >>> >> >> Hi, >> >>> I am very sorry to do this on short notice, but obviously Meltdown and >>> Spectre are a lot more than anyone was really expecting to come down the >>> pipeline. Xen 4.4 has been EOL upstream for about a year now and I have >>> personally been reviewing and backporting patches based on the 4.5 >>> versions made available upstream. >>> >>> Given that 4.5 is now also reaching EOL, backporting to 4.4 will become >>> harder and I've already taken steps to vacate 4.4 in my own environment >>> ASAP. Spectre and Meltdown patches most likely will only officially >>> reach 4.6 and are very complicated. Ultimately, I don't think this is a >>> constructive use of my time. Therefore, I will NOT be continuing to >>> provide updated Xen 4.4 builds any longer through CentOS Virt SIG. If >>> someone else would like to take on the job, you're welcome to try. Pop >>> by #centos-virt on Freenode to talk to us there if you're interested. >>> >>> For short term mitigation of the Meltdown issue on 4.4 with PV domains, >>> your best bet is probably to use the "Vixen" shim solution, which George >>> has put into the xen-44 package repository per his email from two days >>> ago. Vixen allows you to run PV domains inside HVM guest containers. It >>> does not protect the guest from itself, but protects the domains from >>> each other. Long term, your best bet is to try to get up to a new >>> version of Xen that is under upstream security support, probably 4.8. >> >> Oracle VM 3.4 product is based on Xen 4.4, and they seem to have backported the fixes already.. >> >> It looks like those src.rpms have {CVE-2017-5753} {CVE-2017-5715} {CVE-2017-5754} fixes included. >> >> https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/thread.html >> https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000816.html >> https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000817.html >> >> http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-155.0.12.el6.src.rpm >> http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-105.0.30.el6.src.rpm > > That's impressive but dubious as Xen has not released any fixes for > CVE-2017-5753 or CVE-2017-5715 even for 4.10 yet. > It's not that dubious since its mainly Konrad Wilk and Boris Ostrovsky that have been doing most of that :) OracleVM also has a grub2 backport although I haven't really looked at that. jch _______________________________________________ CentOS-virt mailing list CentOS-virt@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos-virt