tmem/XSA-15 backport?

tmem/XSA-15 backport?

[Dan Magenheimer]

Once zduan's tmem restore fix is applied, all known
tmem security issues have been resolved and tested
and tmem is fully functional again in xen-unstable,
including save/restore.

I'd like to recommend that all tmem patches be backported
to 4.1-stable and 4.2-stable prior to the next
point release and preferably asap.

Auditing activities are being conducted separately under
Konrad's supervision, but it seems wise to apply known
security patches to released trees before any users/distros
update.

Comments or objections?

Thanks,
Dan

P.S. Some work remains for tmem to always work properly
with "xl create" but "xm create" works fine.

Re: tmem/XSA-15 backport?

[Jan Beulich]

>>> On 19.09.12 at 17:48, Dan Magenheimer <dan.magenheimer@oracle.com> wrote:
> I'd like to recommend that all tmem patches be backported
> to 4.1-stable and 4.2-stable prior to the next
> point release and preferably asap.
> 
> Auditing activities are being conducted separately under
> Konrad's supervision, but it seems wise to apply known
> security patches to released trees before any users/distros
> update.
> 
> Comments or objections?

My recollection is that the committers more or less agreed to
consider backports only once the full audit was done, and we
were assured that no further vulnerabilities are to be
expected. But I'm certainly open to weakening that position
if others prefer going that route.

Jan

Re: tmem/XSA-15 backport?

[Dan Magenheimer]

> From: Jan Beulich [mailto:JBeulich@suse.com]
> Sent: Wednesday, September 19, 2012 10:00 AM
> To: Dan Magenheimer
> Cc: Ian Campbell; IanJackson; xen-devel@lists.xen.org; Konrad Wilk; Zhenzhong Duan; Keir Fraser;
> tim@xen.org
> Subject: Re: tmem/XSA-15 backport?
> 
> >>> On 19.09.12 at 17:48, Dan Magenheimer <dan.magenheimer@oracle.com> wrote:
> > I'd like to recommend that all tmem patches be backported
> > to 4.1-stable and 4.2-stable prior to the next
> > point release and preferably asap.
> >
> > Auditing activities are being conducted separately under
> > Konrad's supervision, but it seems wise to apply known
> > security patches to released trees before any users/distros
> > update.
> >
> > Comments or objections?
> 
> My recollection is that the committers more or less agreed to
> consider backports only once the full audit was done, and we
> were assured that no further vulnerabilities are to be
> expected. But I'm certainly open to weakening that position
> if others prefer going that route.

Yes, didn't make much sense to me :-)

I agree it may be wise to _not_ remove any published recommendations
to _not_ enable tmem until a full audit is done, but failing
to fix known issues (security or otherwise) in released trees
because there _might_ be other bugs found in the future seems
odd to me.

Other comments or objections?

Dan

Re: tmem/XSA-15 backport?

[Jan Beulich]

>>> On 19.09.12 at 17:48, Dan Magenheimer <dan.magenheimer@oracle.com> wrote:
> Once zduan's tmem restore fix is applied, all known
> tmem security issues have been resolved and tested
> and tmem is fully functional again in xen-unstable,
> including save/restore.
> 
> I'd like to recommend that all tmem patches be backported
> to 4.1-stable and 4.2-stable prior to the next
> point release and preferably asap.

Done.

Jan

Re: tmem/XSA-15 backport?

[Dan Magenheimer]

> From: Jan Beulich [mailto:JBeulich@suse.com]
> Sent: Tuesday, September 25, 2012 4:30 AM
> To: xen-devel@lists.xen.org; Dan Magenheimer
> Cc: Ian Campbell; IanJackson; Konrad Wilk; Zhenzhong Duan; tim@xen.org
> Subject: Re: tmem/XSA-15 backport?
> 
> >>> On 19.09.12 at 17:48, Dan Magenheimer <dan.magenheimer@oracle.com> wrote:
> > Once zduan's tmem restore fix is applied, all known
> > tmem security issues have been resolved and tested
> > and tmem is fully functional again in xen-unstable,
> > including save/restore.
> >
> > I'd like to recommend that all tmem patches be backported
> > to 4.1-stable and 4.2-stable prior to the next
> > point release and preferably asap.
> 
> Done.

Excellent!  Thanks much!

Dan