Security Information / 2013 / Security Information -- DSA-2636-2 xen

Debian Security Advisory

DSA-2636-2 xen -- several vulnerabilities

Date Reported:

03 Mar 2013

Affected Packages:

xen

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2012-4544, CVE-2012-5511, CVE-2012-5634, CVE-2013-0153.

More information:

Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems:

• CVE-2012-4544

  Insufficient validation of kernel or ramdisk sizes in the Xen PV domain builder could result in denial of service.

• CVE-2012-5511

  Several HVM control operations performed insufficient validation of input, which could result in denial of service through resource exhaustion.

• CVE-2012-5634

  Incorrect interrupt handling when using VT-d hardware could result in denial of service.

• CVE-2013-0153

  Insufficient restriction of interrupt access could result in denial of service.

For the stable distribution (squeeze), these problems have been fixed in version 4.0.1-5.8.

For the testing distribution (wheezy), these problems have been fixed in version 4.1.4-2.

For the unstable distribution (sid), these problems have been fixed in version 4.1.4-2.

We recommend that you upgrade your xen packages.