This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable

Steven Timm wrote:
> And I am trying to figure out what other
> people like myself are doing--namely those who need to keep
> Xen 3.1.0 plus some kind of redhat working together and security-patched.
> Is there anyone on this list who has such a setup working at the moment?

> I'm learning a lot from this discussion and appreciate everyone's
> help, but hopefully someone can point me to a solution of the form
> "here is
> what I did and it works" rather than "maybe this will work."

>>> I understand that a xen 3.0.3-compiled kernel could be a domU in this
>>> setup but not a dom0.  Is this understanding wrong?
>> It definitely couldn't be a dom0.

I'm using xen.gz and xen userland from Xen-3.1 (compiled from a modified
RHEL's xen .src.rpm), together with RHEL5's kernel-xen (3.0.3) for dom0,
with solaris and WinXP HVM domU, and it works. This way I have to
maintain xen rpm manually (including fixing it for CVE-2007-4993, for
example), but at least I can use RH's kernel rpm.

I chose this approach because :
- I want to use something with a long support lifetime for both dom0 and
domU, so Fedora is not an option.
- I have little need for Xen 3.1. Most of my servers can run happily on
RHEL5/Xen 3.0.3, so manually updating a small number of server is

If you want vendor-maintained xen and kernel, you could use Fedora 7 (or
whatever distro that ships with Xen 3.1) for dom0, and have RHEL5 for
domU. Of course, given the limited lifetime of Fedora, you should also
prepare to upgrade your dom0 with the next Fedora/RHEL when its released.



Xen-users mailing list