From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel Bareiro Subject: Re: Doubt on KVM-88 vulnerabilities Date: Mon, 14 Dec 2009 08:08:32 -0300 Message-ID: <20091214110832.GA2977@defiant.freesoftware> References: <20091108184240.GA29279@defiant.freesoftware> <4AF93AB8.3040504@redhat.com> Reply-To: dbareiro@gmx.net Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="OgqxwSJOaUobr8KG" To: KVM General Return-path: Received: from mail.gmx.net ([213.165.64.20]:48996 "HELO mail.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1756214AbZLNLIj (ORCPT ); Mon, 14 Dec 2009 06:08:39 -0500 Received: from defiant (defiant.freesoftware [10.1.0.65]) by hermes.freesoftware (Postfix) with ESMTP id 4A0209B6 for ; Mon, 14 Dec 2009 08:09:59 -0300 (ART) Content-Disposition: inline In-Reply-To: <4AF93AB8.3040504@redhat.com> Sender: kvm-owner@vger.kernel.org List-ID: --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, Avi. On Tuesday, 10 November 2009 12:04:40 +0200, Avi Kivity wrote: >> I'm using KVM-88 compiled by myself from the source code provided by the >> official site of the project. >> >> Is this version of KVM vulnerable to the mentioned thing in the >> DSA-1907-1 [1]? > Yes. >> In such case, there is some published patch that can be >> applied or some new version that solves this? > I recommend to use distro-provided modules (or kernel.org kernels within = =20 > their support period) for production use. This ensures you get security = =20 > and stability fixes. kvm-89 will fix these issues, but as it's a =20 > development snapshot, may introduce new issues. Minutes ago I've downloaded of kernel.org the source code of Linux 2.6.32 because I wanted to test with KSM, that it seems to me a very interesting aggregate. As you said above, surely the modules of 2.6.32 are going to be newer than the compiled ones with KVM-88 with security fixes like the one of the DSA-1907-1. Then, I imagine that only it would be necessary to compile the userspace. The steps that I habitually followed are the mentioned ones in the section 'Unpacking and configuring kvm components' of this [1] document, but I suppose that to only compile userspace it will be necessary to follow a different procedure. Is there some document that you can indicate to me where are mentioned these steps? Very interesting the replies in this thread. It drew attention=20 powerfully to me which Michael Tokarev said that KVM never was and=20 never will be for production. Personally I'm using KVM-88 with 2.6.30=20 and it works wonderfully well. Thanks for your reply. Regards, Daniel [1] http://www.linux-kvm.org/page/HOWTO1 --=20 Fingerprint: BFB3 08D6 B4D1 31B2 72B9 29CE 6696 BF1B 14E6 1D37 Powered by Debian GNU/Linux Squeeze - Linux user #188.598 --OgqxwSJOaUobr8KG Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAksmHLAACgkQZpa/GxTmHTdoXQCfb2fvKkgkDx4N/sA1RywZ4odR N9YAnjdclhQO7owVRRN2O8PhUACr/X5o =HIS2 -----END PGP SIGNATURE----- --OgqxwSJOaUobr8KG--