Salvatore Bonaccorso
2015-May-02 05:04 UTC
[Pkg-xen-devel] Bug#784011: xen: CVE-2015-3340: Information leak through XEN_DOMCTL_gettscinfo (XSA-132)
Source: xen Version: 4.4.1-9 Severity: normal Tags: security upstream patch fixed-upstream Hi, the following vulnerability was published for xen. CVE-2015-3340[0]: | Xen 4.2.x through 4.5.x does not initialize certain fields, which | allows certain remote service domains to obtain sensitive information | from memory via a (1) XEN_DOMCTL_gettscinfo or (2) | XEN_SYSCTL_getdomaininfolist request. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-3340 [1] http://xenbits.xen.org/xsa/advisory-132.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bastian Blank
2015-May-02 12:03 UTC
[Pkg-xen-devel] Bug#784011: Bug#784011: xen: CVE-2015-3340: Information leak through XEN_DOMCTL_gettscinfo (XSA-132)
On Sat, May 02, 2015 at 07:04:34AM +0200, Salvatore Bonaccorso wrote:> the following vulnerability was published for xen.I consider this issue as unimportant. Not sure how I can mark it this way in the security tracker. Bastian -- Knowledge, sir, should be free to all! -- Harry Mudd, "I, Mudd", stardate 4513.3
Salvatore Bonaccorso
2015-May-02 13:18 UTC
[Pkg-xen-devel] Bug#784011: Bug#784011: xen: CVE-2015-3340: Information leak through XEN_DOMCTL_gettscinfo (XSA-132)
Hi Bastian, On Sat, May 02, 2015 at 02:03:10PM +0200, Bastian Blank wrote:> On Sat, May 02, 2015 at 07:04:34AM +0200, Salvatore Bonaccorso wrote: > > the following vulnerability was published for xen. > > I consider this issue as unimportant. Not sure how I can mark it this > way in the security tracker.Basically the severities behind the status in brackets. But note that in this case it was already marked low, with the meaning of severities in http://security-team.debian.org/security_tracker.html#severity-levels Basically then adding (unimportant) in the line for the package, in this case - xen <unfixed> (unimportant; bug #784011). I have changed that now, refering to your comment in this bug. Regards, Salvatore
Seemingly Similar Threads
- Bug#784011: xen: CVE-2015-3340: Information leak through XEN_DOMCTL_gettscinfo (XSA-132)
- Updated Xen packages for XSA 216..225
- Bug#859560: xen: CVE-2017-7228: x86: broken check in memory_exchange() permits PV guest breakout (XSA-212)
- Updated Xen packages for XSA 216..225
- Bug#1031567: xen: CVE-2022-27672: XSA-426: x86: Cross-Thread Return Address Predictions