[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 479-1] xen security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : xen
Version        : 4.1.6.1-1+deb7u1
CVE ID         : CVE-2015-2752 CVE-2015-2756 CVE-2015-5165 CVE-2015-5307
                 CVE-2015-7969 CVE-2015-7970 CVE-2015-7971 CVE-2015-7972
                 CVE-2015-8104 CVE-2015-8339 CVE-2015-8340 CVE-2015-8550
                 CVE-2015-8554 CVE-2015-8555 CVE-2015-8615 CVE-2016-1570
                 CVE-2016-1571 CVE-2016-2270 CVE-2016-2271

This security update fixes a number of security issues in Xen in wheezy.

For Debian 7 "Wheezy", these problems have been fixed in version
4.1.6.1-1+deb7u1.

We recommend that you upgrade your libidn packages.


CVE-2015-2752

    The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x,
    when using a PCI passthrough device, is not preemptable, which
    allows local x86 HVM domain users to cause a denial of service (host
    CPU consumption) via a crafted request to the device model
    (qemu-dm).

CVE-2015-2756

    QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict
    access to PCI command registers, which might allow local HVM guest
    users to cause a denial of service (non-maskable interrupt and host
    crash) by disabling the (1) memory or (2) I/O decoding for a PCI
    Express device and then accessing the device, which triggers an
    Unsupported Request (UR) response.

CVE-2015-5165

    The C+ mode offload emulation in the RTL8139 network card device
    model in QEMU, as used in Xen 4.5.x and earlier, allows remote
    attackers to read process heap memory via unspecified vectors.

CVE-2015-5307

    The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x
    through 4.6.x, allows guest OS users to cause a denial of service
    (host OS panic or hang) by triggering many #AC (aka Alignment Check)
    exceptions, related to svm.c and vmx.c.

CVE-2015-7969

    Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest
    administrators or domains with certain permission to cause a denial
    of service (memory consumption) via a large number of "teardowns" of
    domains with the vcpu pointer array allocated using the (1)
    XEN_DOMCTL_max_vcpus hypercall or the xenoprofile state vcpu pointer
    array allocated using the (2) XENOPROF_get_buffer or (3)
    XENOPROF_set_passive hypercall.

CVE-2015-7970

    The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen
    3.4.x, 3.5.x, and 3.6.x is not preemptible, which allows local x86
    HVM guest administrators to cause a denial of service (CPU
    consumption and possibly reboot) via crafted memory contents that
    triggers a "time-consuming linear scan," related to
    Populate-on-Demand.

CVE-2015-7971

    Xen 3.2.x through 4.6.x does not limit the number of printk console
    messages when logging certain pmu and profiling hypercalls, which
    allows local guests to cause a denial of service via a sequence of
    crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly
    handled in the do_xenoprof_op function in common/xenoprof.c, or (2)
    HYPERVISOR_xenpmu_op hypercalls, which are not properly handled in
    the do_xenpmu_op function in arch/x86/cpu/vpmu.c.

CVE-2015-7972

    The (1) libxl_set_memory_target function in tools/libxl/libxl.c and
    (2) libxl__build_post function in tools/libxl/libxl_dom.c in Xen
    3.4.x through 4.6.x do not properly calculate the balloon size when
    using the populate-on-demand (PoD) system, which allows local HVM
    guest users to cause a denial of service (guest crash) via
    unspecified vectors related to "heavy memory pressure."

CVE-2015-8104

    The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x
    through 4.6.x, allows guest OS users to cause a denial of service
    (host OS panic or hang) by triggering many #DB (aka Debug)
    exceptions, related to svm.c.

CVE-2015-8339

    The memory_exchange function in common/memory.c in Xen 3.2.x through
    4.6.x does not properly hand back pages to a domain, which might
    allow guest OS administrators to cause a denial of service (host
    crash) via unspecified vectors related to domain teardown.

CVE-2015-8340

    The memory_exchange function in common/memory.c in Xen 3.2.x through
    4.6.x does not properly release locks, which might allow guest OS
    administrators to cause a denial of service (deadlock or host crash)
    via unspecified vectors, related to XENMEM_exchange error handling.

CVE-2015-8550

    Xen, when used on a system providing PV backends, allows local guest
    OS administrators to cause a denial of service (host OS crash) or
    gain privileges by writing to memory shared between the frontend and
    backend, aka a double fetch vulnerability.

CVE-2015-8554

    Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using
    the qemu-xen-traditional (aka qemu-dm) device model, allows local
    x86 HVM guest administrators to gain privileges by leveraging a
    system with access to a passed-through MSI-X capable physical PCI
    device and MSI-X table entries, related to a "write path."

CVE-2015-8555

    Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86
    FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage
    guest extended register state, which allows local guest domains to
    obtain sensitive information from other domains via unspecified
    vectors.

CVE-2015-8615

    The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6
    does not limit the number of printk console messages when logging
    the new callback method, which allows local HVM guest OS users to
    cause a denial of service via a large number of changes to the
    callback method (HVM_PARAM_CALLBACK_IRQ).

CVE-2016-1570

    The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1,
    and 4.1.x through 4.6.x allows local PV guests to obtain sensitive
    information, cause a denial of service, gain privileges, or have
    unspecified other impact via a crafted page identifier (MFN) to the
    (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the
    HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to
    page table updates.

CVE-2016-1571

    The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x
    through 4.6.x, when using shadow mode paging or nested
    virtualization is enabled, allows local HVM guest users to cause a
    denial of service (host crash) via a non-canonical guest address in
    an INVVPID instruction, which triggers a hypervisor bug check.

CVE-2016-2270

    Xen 4.6.x and earlier allows local guest administrators to cause a
    denial of service (host reboot) via vectors related to multiple
    mappings of MMIO pages with different cachability settings.

CVE-2016-2271

    VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU,
    allows local HVM guest users to cause a denial of service (guest
    crash) via vectors related to a non-canonical RIP.

- -- 
Brian May <bam@debian.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXO6WfAAoJEBeEV3+BH26s6ysQAN8l6OGNNQRIK6enb8EEmakS
oiCXmG8gbVo9SeheZK/6cgo3qpiZZztl5tFQACyPMsbaOKwfcI68nDrpjqkCp4Uu
ddhJpbPQ1QvHDNakphZsrUSIUlTsPgRmQt5nAOe/hLxa/prCxjzPFXLXiU7fmdRh
43yhdilfFhdryZ86mLzvNiccvE/ToTpd95+lMu0sPv6N2nJ33HTAGDZV7rHUMhzo
z2y8UXr5ymVMXrd7TCbEbdEd6uqgtA5UxU9LGjFvsQmnfIOiooegU6kcNFWDTtqP
ewyWGgncLta5bLzbArM7H+mOi9ToqRDzGdiG9LC9QbqIztoupmnXNhNSFgdAXuGS
vN4jUzcqggknoINhOduHPevaDOIwxRzBbkgXlgMW02Y2jLB4zcN9JOCmrm+5HSZT
xUdOw1AMe9Nux6rKaf1V0lJqn7JRqwKKw4lk0nz5w0HUJ38VA7fH34sStZ/uoYG4
LWTHtqPDlKrp5FLG7GmURX0+5muDNye2SjjQCNyDPFrKXNrrYNrBMDGDV51Lk7jb
1/qEmLPhsII2TEBKK2XC4ZSxEwbYK9QCnYuUZxuQI4KF9hE9Z1ivVtp/eacQonq2
Ve1ivOW5AQeORDcKiEMqvaCOQLzVx4Sjx7Kbb/wy+N+6dzZUlOiA2nqY5H8+okxs
JfbeaNsXaeikySIMNINn
=MF4Z
-----END PGP SIGNATURE-----
Reply to: