Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 201309-24 ] Xen: Multiple vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Veteran
Veteran


Joined: 12 May 2004
Posts: 1547

PostPosted: Fri Sep 27, 2013 10:26 pm    Post subject: [ GLSA 201309-24 ] Xen: Multiple vulnerabilities Reply with quote

Gentoo Linux Security Advisory

Title: Xen: Multiple vulnerabilities (GLSA 201309-24)
Severity: high
Exploitable: local
Date: September 27, 2013
Bug(s): #385319, #386371, #420875, #431156, #454314, #464724, #472214, #482860
ID: 201309-24

Synopsis

Multiple vulnerabilities have been found in Xen, allowing attackers
on a Xen Virtual Machine to execute arbitrary code, cause Denial of
Service, or gain access to data on the host.


Background

Xen is a bare-metal hypervisor.

Affected Packages

Package: app-emulation/xen
Vulnerable: < 4.2.2-r1
Unaffected: >= 4.2.2-r1
Architectures: All supported architectures

Package: app-emulation/xen-tools
Vulnerable: < 4.2.2-r3
Unaffected: >= 4.2.2-r3
Architectures: All supported architectures

Package: app-emulation/xen-pvgrub
Vulnerable: < 4.2.2-r1
Unaffected: >= 4.2.2-r1
Architectures: All supported architectures


Description

Multiple vulnerabilities have been discovered in Xen. Please review the
CVE identifiers referenced below for details.


Impact

Guest domains could possibly gain privileges, execute arbitrary code, or
cause a Denial of Service on the host domain (Dom0). Additionally, guest
domains could gain information about other virtual machines running on
the same host or read arbitrary files on the host.


Workaround

The CVEs listed below do not currently have fixes, but only apply to Xen
setups which have “tmem” specified on the hypervisor command line.
TMEM is not currently supported for use in production systems, and
administrators using tmem should disable it.
Relevant CVEs:
* CVE-2012-2497
* CVE-2012-6030
* CVE-2012-6031
* CVE-2012-6032
* CVE-2012-6033
* CVE-2012-6034
* CVE-2012-6035
* CVE-2012-6036


Resolution

All Xen users should upgrade to the latest version:
Code:
# emerge --sync
      # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.2.2-r1"
   
All Xen-tools users should upgrade to the latest version:
Code:
# emerge --sync
      # emerge --ask --oneshot --verbose
      ">=app-emulation/xen-tools-4.2.2-r3"
   
All Xen-pvgrub users should upgrade to the latest version:
Code:
# emerge --sync
      # emerge --ask --oneshot --verbose
      ">=app-emulation/xen-pvgrub-4.2.2-r1"
   


References

CVE-2011-2901
CVE-2011-3262
CVE-2012-0217
CVE-2012-0218
CVE-2012-2934
CVE-2012-3432
CVE-2012-3433
CVE-2012-3494
CVE-2012-3495
CVE-2012-3496
CVE-2012-3497
CVE-2012-3498
CVE-2012-3515
CVE-2012-4411
CVE-2012-4535
CVE-2012-4536
CVE-2012-4537
CVE-2012-4538
CVE-2012-4539
CVE-2012-5510
CVE-2012-5511
CVE-2012-5512
CVE-2012-5513
CVE-2012-5514
CVE-2012-5515
CVE-2012-5525
CVE-2012-5634
CVE-2012-6030
CVE-2012-6031
CVE-2012-6032
CVE-2012-6033
CVE-2012-6034
CVE-2012-6035
CVE-2012-6036
CVE-2012-6075
CVE-2012-6333
CVE-2013-0151
CVE-2013-0152
CVE-2013-0153
CVE-2013-0154
CVE-2013-0215
CVE-2013-1432
CVE-2013-1917
CVE-2013-1918
CVE-2013-1919
CVE-2013-1920
CVE-2013-1922
CVE-2013-1952
CVE-2013-1964
CVE-2013-2076
CVE-2013-2077
CVE-2013-2078
CVE-2013-2194
CVE-2013-2195
CVE-2013-2196
CVE-2013-2211

Xen TMEM


Last edited by GLSA on Mon Sep 30, 2013 4:31 am; edited 1 time in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum