View previous topic :: View next topic |
Author |
Message |
GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Fri Sep 27, 2013 10:26 pm Post subject: [ GLSA 201309-24 ] Xen: Multiple vulnerabilities |
|
|
Gentoo Linux Security Advisory
Title: Xen: Multiple vulnerabilities (GLSA 201309-24)
Severity: high
Exploitable: local
Date: September 27, 2013
Bug(s): #385319, #386371, #420875, #431156, #454314, #464724, #472214, #482860
ID: 201309-24
Synopsis
Multiple vulnerabilities have been found in Xen, allowing attackers
on a Xen Virtual Machine to execute arbitrary code, cause Denial of
Service, or gain access to data on the host.
Background
Xen is a bare-metal hypervisor.
Affected Packages
Package: app-emulation/xen
Vulnerable: < 4.2.2-r1
Unaffected: >= 4.2.2-r1
Architectures: All supported architectures
Package: app-emulation/xen-tools
Vulnerable: < 4.2.2-r3
Unaffected: >= 4.2.2-r3
Architectures: All supported architectures
Package: app-emulation/xen-pvgrub
Vulnerable: < 4.2.2-r1
Unaffected: >= 4.2.2-r1
Architectures: All supported architectures
Description
Multiple vulnerabilities have been discovered in Xen. Please review the
CVE identifiers referenced below for details.
Impact
Guest domains could possibly gain privileges, execute arbitrary code, or
cause a Denial of Service on the host domain (Dom0). Additionally, guest
domains could gain information about other virtual machines running on
the same host or read arbitrary files on the host.
Workaround
The CVEs listed below do not currently have fixes, but only apply to Xen
setups which have “tmem” specified on the hypervisor command line.
TMEM is not currently supported for use in production systems, and
administrators using tmem should disable it.
Relevant CVEs:
* CVE-2012-2497
* CVE-2012-6030
* CVE-2012-6031
* CVE-2012-6032
* CVE-2012-6033
* CVE-2012-6034
* CVE-2012-6035
* CVE-2012-6036
Resolution
All Xen users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/xen-4.2.2-r1"
| All Xen-tools users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose
">=app-emulation/xen-tools-4.2.2-r3"
| All Xen-pvgrub users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose
">=app-emulation/xen-pvgrub-4.2.2-r1"
|
References
CVE-2011-2901
CVE-2011-3262
CVE-2012-0217
CVE-2012-0218
CVE-2012-2934
CVE-2012-3432
CVE-2012-3433
CVE-2012-3494
CVE-2012-3495
CVE-2012-3496
CVE-2012-3497
CVE-2012-3498
CVE-2012-3515
CVE-2012-4411
CVE-2012-4535
CVE-2012-4536
CVE-2012-4537
CVE-2012-4538
CVE-2012-4539
CVE-2012-5510
CVE-2012-5511
CVE-2012-5512
CVE-2012-5513
CVE-2012-5514
CVE-2012-5515
CVE-2012-5525
CVE-2012-5634
CVE-2012-6030
CVE-2012-6031
CVE-2012-6032
CVE-2012-6033
CVE-2012-6034
CVE-2012-6035
CVE-2012-6036
CVE-2012-6075
CVE-2012-6333
CVE-2013-0151
CVE-2013-0152
CVE-2013-0153
CVE-2013-0154
CVE-2013-0215
CVE-2013-1432
CVE-2013-1917
CVE-2013-1918
CVE-2013-1919
CVE-2013-1920
CVE-2013-1922
CVE-2013-1952
CVE-2013-1964
CVE-2013-2076
CVE-2013-2077
CVE-2013-2078
CVE-2013-2194
CVE-2013-2195
CVE-2013-2196
CVE-2013-2211
Xen TMEM
Last edited by GLSA on Mon Sep 30, 2013 4:31 am; edited 1 time in total |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|