No security updates since release in all Ubuntu releases

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

In Bionic, this source package is in main. Why the Ubuntu Security Team did not provide any updates for that package?

In Trusty and Xenial, the source package is also in main, but the Ubuntu Security Team did not provide any updates since October 2017, still very far from the end of standard support of those releases. Why?

The source package is in main, but the binary packages are in universe.

Patches for Focal, Impish and Jammy will be added by June 15.

(Sorry for the postponements, this bug is difficult to fix, but it is nearing its end.)

I am going through the last XSA (XSA-400) and will, if a local build is successful, add a patch for Focal tomorrow.

Meanwhile, on June 9, Xen released two more security advisories: XSA-401 and XSA-402. I have just added the corresponding CVEs to this bug report.

In the next time this package is updated in Focal, application of commit d6fcc586979 from the stable-4.12 branch should be considered.

The Stable Release Update bug for Jammy is bug #1978891.

I will publish the Focal debdiff today.

Impish will reach end-of-life in 28 days, therefore I will not publish a patch for Impish.

The Focal debdiff is nearly complete and will be published tomorrow. It only remains to test whether the package compiles on ARM.

The package compiles on all architectures it supports.

The attachment "xen_focal.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

In reply to comment #3:
* 3 of the packages built from the xen source package in Bionic are in main: libxen-4.9, libxen-dev and libxenstore3.0. According to the history of tools/libxl in upstream Git, the patches for CVE-2019-18424 and CVE-2020-0543 modified the source code for libxenlight, that is compiled into libxen-4.9.
* Why did the Ubuntu Security Team provide full updates for Xen in Ubuntu 14.04 and 16.04 until October 2017, and then stop providing them? For these releases, 5 and 3 binary packages built from this source package are in main, respectively.

The regular Xen updates in previous releases were contributed by an engineer on his own time when they were a priority for him. Around that time Xen stopped being a personal priority for him, so he stopped preparing the updates.

Thanks

Please review this patch.

This is an updated patch based on the version in the unapproved queue.

A patched source package is building in my PPA (https://launchpad.net/~luis220413/+archive/ubuntu/security-updates).

To test this update, run some VMs under Xen with the updated package and use exploits (both public and private) to test that at least some linked CVEs are fixed.

3 CVEs (CVE-2022-21123, CVE-2022-21125 and CVE-2022-21166) are not fixed by the attached patch.

Thanks for uploading the debdiff and adding testing information.
I will be taking a look at your debdiff in the following days.

Hi Eduardo / Security team,

Would it be possible to consider staging these changes only _after_
the current Xen package in focal/unapproved lands in focal-updates?

(It's a small FTBFS fixup for focal-proposed that is already 7+ days.)

Even though it's certainly welcome to have such a nice contribution
from a security perspective as this bug/debdiff, it's certainly big,
and there's always risk of regressions, as with any upload material.

Thus, as the current upload (focal-proposed + focal/unapproved queue)
is much smaller in scope and risk, it'd seem reasonable to land those
first, just in case an issue pops up with these larger changes, so
there's a way back/downgrade that still has the other/smaller fixes.

Thanks!

Hi Mauricio,

yes, for sure! We were already waiting your SRU to land before start working on this.

If you could let us know whenever it gets published, I'll appreciate.

6 CVEs (CVE-2022-21123, CVE-2022-21125, CVE-2022-21166, CVE-2022-23816, CVE-2022-23825 and CVE-2022-29900) are not fixed by the attached patch.

just to keep this ticket up-to-date:
I'm analyzing Luis' debdiff while we wait for Mauricio's SRU to be merged.

Since this has way too many CVEs/patches at once, we decided to break it down into multiple updates over time, that way reducing the risk of regression. I've added about half of the 2020 CVEs and uploaded a version to security-proposed ppa:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=xen&field.status_filter=published&field.series_filter=

Please test it and share the results with us.

I will adjust the changelog to be consistent with my other security updates.

I will ensure that this version is tested on amd64, arm64 and armhf, both natively and under virtualization, and will test as much as possible, within my available hardware. If I cannot perform an important test, I will issue a call for testers to run those tests.

Any feedback on the version on security-proposed?

This is now released: https://ubuntu.com/security/notices/USN-5617-1
Fixed CVEs:
    CVE-2020-25599
    CVE-2020-11740
    CVE-2020-11739
    CVE-2020-15567
    CVE-2020-15563
    CVE-2020-25596
    CVE-2020-25600
    CVE-2020-25602
    CVE-2020-11743
    CVE-2020-11741
    CVE-2020-15564
    CVE-2020-0543
    CVE-2020-15566
    CVE-2020-15565
    CVE-2020-25604
    CVE-2020-25597
    CVE-2020-25603
    CVE-2020-25601
    CVE-2020-25595
    CVE-2020-11742

There's no LP references in the changelog for this one. Should we move this bug to fix released?

This bug ticket has more CVEs than only the ones fixed, that's why we didn't reference it, and we also didn't use the provided debdiff, as it is way too big.
Not sure what you want to do with the status for this case.

Since this bug is about more CVEs than what was released, I have set the status back to Confirmed and have unsubscribed ubuntu-security-sponsors for now.

Security team: Can you prepare another update from my debdiff, as you did in comment #24?

@luis220413 as Eduardo said in comment:29, the provided debdiff is not useful for security patching. If you want to understand more what is required, it is essentially the same requirements that the SRU team uses to assess Stable Release Updates - https://wiki.ubuntu.com/StableReleaseUpdates

We also require a similar level of detail in terms of testing and justification for security uploads, so without this information and a suitable debdiff that only contains just the security fixes and nothing else, there is no action our team is able to take at this time (other than doing all the work ourselves from scratch as was done in the original case of this bug since the provided debdiff was not useful).

[Expired for xen (Ubuntu) because there has been no activity for 60 days.]