Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Xen security advisory?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Xen security advisory?

perennateperennate Member, Host Rep
edited October 2015 in General

Got this from Linode:

Hello,

Linode recently received several Xen Security Advisories (XSAs) that require us to perform updates to our host servers. In order to apply the updates, hosts and the Linodes running on them must be rebooted. The XSAs will be publicly released by the Xen project team on October 29th, therefore we must complete the updates before that date.

These updates are required to protect the security and safe operations of not only our infrastructure, but yours as well. We understand that a disruption with such limited notice is inconvenient, and we hope you understand that these measures are warranted due to the severity of the XSAs.

Your Linodes have been assigned a maintenance window in which a reboot will occur. These times are listed within the Linode Manager[1] in the timezone set in your user's My Profile[2]. Your schedule in UTC timezone is as follows:

  • 2015-10-20 1:00:00 PM UTC - linode(XYZ)

During the maintenance window Linode instances will be cleanly shut down while we perform the updates. Your Linode will be inaccessible during this time. A two-hour window is allocated, however the actual downtime can be much less. After the maintenance, each Linode will then be booted. See our Reboot Survival Guide[3] for tips and hints on configuring and testing that your Linode services boot properly after the maintenance.

Unfortunately, due to the logistical demands of this effort, your assigned windows are not changeable and the host reboots are mandatory.

For general information, please see our status post: http://status.linode.com/incidents/ltchxw3jmx0s

Please let us know if there is anything we can do to assist.

[1] https://manager.linode.com/linodes

[2] https://manager.linode.com/profile

[3] https://www.linode.com/docs/uptime/reboot-survival-guide

-Linode

Comments

  • yup :) I glad I've migrate my linode to KVM

  • XSA-152     2015-10-29 12:00            none (yet) assigned     (Prereleased, but embargoed)
    XSA-151     2015-10-29 12:00            none (yet) assigned     (Prereleased, but embargoed)
    XSA-150     2015-10-29 12:00            none (yet) assigned     (Prereleased, but embargoed)
    XSA-149     2015-10-29 12:00            none (yet) assigned     (Prereleased, but embargoed)
    XSA-148     2015-10-29 12:00            assigned, but embargoed     (Prereleased, but embargoed)
    XSA-147     2015-10-29 12:00            assigned, but embargoed     (Prereleased, but embargoed)
    XSA-146     2015-10-29 12:00            assigned, but embargoed     (Prereleased, but embargoed)
    XSA-145     2015-10-29 12:00            assigned, but embargoed     (Prereleased, but embargoed)
    

    That's a lot. Who of the Xen hosts is on that list? I wonder if it's HVM only or that PV is affected ass well.

  • tommy said: yup :) I glad I've migrate my linode to KVM

    Because qemu/KVM are bug free and there are never security advisories and need for reboot when you use KVM?

    Thanked by 3mpkossen yomero Aga
  • jarjar Patron Provider, Top Host, Veteran

    Raymii said: ass well

    Would hate to fall down that.

  • AnthonySmithAnthonySmith Member, Patron Provider

    I suspect linode will be one of the few that will reboot, don't expect all Xen hosts to have downtime, I can't really say anything else due to the embargo.

  • @AnthonySmith said:
    I suspect linode will be one of the few that will reboot, don't expect all Xen hosts to have downtime, I can't really say anything else due to the embargo.

    You do xen right?

  • How big a volume of xen VM's you have @AnthonySmith? (indication?)

    They list a fairly big number of VM's on their site to apply, which holds me back applying...

  • rds100 said: Because qemu/KVM are bug free and there are never security advisories and need for reboot when you use KVM?

    Host node reboot you can probably get away with, most QEMU/KVM shit happens userland.

  • rds100 said: Because qemu/KVM are bug free and there are never security advisories and need for reboot when you use KVM?

    no, because KVM more stable from my test and my vps doesn't affected by this bug. That's all.

  • jbilohjbiloh Administrator, Veteran

    What is the benefit of using xen over kvm? I can't think of any...

  • jbiloh said: What is the benefit of using xen over kvm? I can't think of any...

    In theory Xen PV is faster? Well, that was just theory, apparently it isn't, and that's one of the reasons for the migration to KVM.

  • AnthonySmith said: I suspect linode will be one of the few that will reboot, don't expect all Xen hosts to have downtime, I can't really say anything else due to the embargo.

    No big drama, just live migrate, upgrade, live migrate back

  • @jbiloh said:
    What is the benefit of using xen over kvm? I can't think of any...

    Xen pre-dates KVM by some years, so there was certainly a time when it was more feature complete, stable, and better supported by guest OS drivers. How they compare in those regards now I'm not sure, I use KVM as it seems to be the "standard" - it has been in the mainline kernel longer (but IIRC both are considered first-class citizens so neither is likely to be deprecated in favour of the other until something better than both comes along).

    KVM requires CPU virtualisation support (VT-x or SVM) where Xen can live without it if the guests are specially modified to run in the para-virtualised environment - but when buying a service from a provider like Linode that is not significant as they'll have decent modern hardware anyway.

  • @Jar said:
    Would hate to fall down that.

    Or up that

    Thanked by 1jar
  • patrick7patrick7 Member, LIR

    Anyone received an update from debian? Looks like it's still vulnerable: https://security-tracker.debian.org/tracker/CVE-2015-7835.

    Usually debian is very fast in security updates.

Sign In or Register to comment.