Debian Security Advisory
DSA-3140-1 xen -- security update
- Date Reported:
- 27 Jan 2015
- Affected Packages:
- xen
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2014-8594, CVE-2014-8595, CVE-2014-8866, CVE-2014-8867, CVE-2014-9030.
- More information:
-
Multiple security issues have been discovered in the Xen virtualisation solution which may result in denial of service, information disclosure or privilege escalation.
- CVE-2014-8594
Roger Pau Monne and Jan Beulich discovered that incomplete restrictions on MMU update hypercalls may result in privilege escalation.
- CVE-2014-8595
Jan Beulich discovered that missing privilege level checks in the x86 emulation of far branches may result in privilege escalation.
- CVE-2014-8866
Jan Beulich discovered that an error in compatibility mode hypercall argument translation may result in denial of service.
- CVE-2014-8867
Jan Beulich discovered that an insufficient restriction in acceleration support for the
REP MOVS
instruction may result in denial of service. - CVE-2014-9030
Andrew Cooper discovered a page reference leak in MMU_MACHPHYS_UPDATE handling, resulting in denial of service.
For the stable distribution (wheezy), these problems have been fixed in version 4.1.4-3+deb7u4.
For the upcoming stable distribution (jessie), these problems have been fixed in version 4.4.1-4.
For the unstable distribution (sid), these problems have been fixed in version 4.4.1-4.
We recommend that you upgrade your xen packages.
- CVE-2014-8594