Jump to content
Compatible Support Forums
Sign in to follow this  
news

[gentoo-announce] [ GLSA 201309-24 ] Xen: Multiple vulnerabilities

Recommended Posts

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Gentoo Linux Security Advisory GLSA 201309-24

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

http://security.gentoo.org/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Severity: High

Title: Xen: Multiple vulnerabilities

Date: September 27, 2013

Bugs: #385319, #386371, #420875, #431156, #454314, #464724,

#472214, #482860

ID: 201309-24

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Synopsis

========

 

Multiple vulnerabilities have been found in Xen, allowing attackers on

a Xen Virtual Machine to execute arbitrary code, cause Denial of

Service, or gain access to data on the host.

 

Background

==========

 

Xen is a bare-metal hypervisor.

 

Affected packages

=================

 

-------------------------------------------------------------------

Package / Vulnerable / Unaffected

-------------------------------------------------------------------

1 app-emulation/xen < 4.2.2-r1 >= 4.2.2-r1

2 app-emulation/xen-tools < 4.2.2-r3 >= 4.2.2-r3

3 app-emulation/xen-pvgrub

< 4.2.2-r1 >= 4.2.2-r1

-------------------------------------------------------------------

3 affected packages

 

Description

===========

 

Multiple vulnerabilities have been discovered in Xen. Please review the

CVE identifiers referenced below for details.

 

Impact

======

 

Guest domains could possibly gain privileges, execute arbitrary code,

or cause a Denial of Service on the host domain (Dom0). Additionally,

guest domains could gain information about other virtual machines

running on the same host or read arbitrary files on the host.

 

Workaround

==========

 

The CVEs listed below do not currently have fixes, but only apply to

Xen setups which have "tmem" specified on the hypervisor command line.

TMEM is not currently supported for use in production systems, and

administrators using tmem should disable it.

Relevant CVEs:

* CVE-2012-2497

* CVE-2012-6030

* CVE-2012-6031

* CVE-2012-6032

* CVE-2012-6033

* CVE-2012-6034

* CVE-2012-6035

* CVE-2012-6036

 

Resolution

==========

 

All Xen users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot --verbose ">=app-emulation/xen-4.2.2-r1"

 

All Xen-tools users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot -v ">=app-emulation/xen-tools-4.2.2-r3"

 

All Xen-pvgrub users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot -v ">=app-emulation/xen-pvgrub-4.2.2-r1"

 

References

==========

 

[ 1 ] CVE-2011-2901

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2901

[ 2 ] CVE-2011-3262

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3262

[ 3 ] CVE-2011-3262

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3262

[ 4 ] CVE-2012-0217

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0217

[ 5 ] CVE-2012-0218

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0218

[ 6 ] CVE-2012-2934

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2934

[ 7 ] CVE-2012-3432

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3432

[ 8 ] CVE-2012-3433

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3433

[ 9 ] CVE-2012-3494

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3494

[ 10 ] CVE-2012-3495

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3495

[ 11 ] CVE-2012-3496

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3496

[ 12 ] CVE-2012-3497

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3497

[ 13 ] CVE-2012-3498

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3498

[ 14 ] CVE-2012-3515

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3515

[ 15 ] CVE-2012-4411

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4411

[ 16 ] CVE-2012-4535

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4535

[ 17 ] CVE-2012-4536

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4536

[ 18 ] CVE-2012-4537

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4537

[ 19 ] CVE-2012-4538

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4538

[ 20 ] CVE-2012-4539

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4539

[ 21 ] CVE-2012-5510

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5510

[ 22 ] CVE-2012-5511

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5511

[ 23 ] CVE-2012-5512

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5512

[ 24 ] CVE-2012-5513

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5513

[ 25 ] CVE-2012-5514

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5514

[ 26 ] CVE-2012-5515

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5515

[ 27 ] CVE-2012-5525

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5525

[ 28 ] CVE-2012-5634

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5634

[ 29 ] CVE-2012-6030

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6030

[ 30 ] CVE-2012-6031

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6031

[ 31 ] CVE-2012-6032

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6032

[ 32 ] CVE-2012-6033

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6033

[ 33 ] CVE-2012-6034

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6034

[ 34 ] CVE-2012-6035

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6035

[ 35 ] CVE-2012-6036

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6036

[ 36 ] CVE-2012-6075

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6075

[ 37 ] CVE-2012-6333

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6333

[ 38 ] CVE-2013-0151

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0151

[ 39 ] CVE-2013-0152

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0152

[ 40 ] CVE-2013-0153

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0153

[ 41 ] CVE-2013-0154

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0154

[ 42 ] CVE-2013-0215

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0215

[ 43 ] CVE-2013-1432

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1432

[ 44 ] CVE-2013-1917

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1917

[ 45 ] CVE-2013-1918

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1918

[ 46 ] CVE-2013-1919

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1919

[ 47 ] CVE-2013-1920

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1920

[ 48 ] CVE-2013-1922

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1922

[ 49 ] CVE-2013-1952

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1952

[ 50 ] CVE-2013-1964

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1964

[ 51 ] CVE-2013-2076

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2076

[ 52 ] CVE-2013-2077

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2077

[ 53 ] CVE-2013-2078

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2078

[ 54 ] CVE-2013-2194

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2194

[ 55 ] CVE-2013-2195

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2195

[ 56 ] CVE-2013-2196

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2196

[ 57 ] CVE-2013-2211

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2211

[ 58 ] Xen TMEM

http://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.html

 

Availability

============

 

This GLSA and any updates to it are available for viewing at

the Gentoo Security Website:

 

http://security.gentoo.org/glsa/glsa-201309-24.xml

 

Concerns?

=========

 

Security is a primary focus of Gentoo Linux and ensuring the

confidentiality and security of our users' machines is of utmost

importance to us. Any security concerns should be addressed to

security ( -at -) gentoo.org or alternatively, you may file a bug at

https://bugs.gentoo.org.

 

License

=======

 

Copyright 2013 Gentoo Foundation, Inc; referenced text

belongs to its owner(s).

 

The contents of this document are licensed under the

Creative Commons - Attribution / Share Alike license.

 

http://creativecommons.org/licenses/by-sa/2.5

 

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×