search for: 60f09d1ab1fe

Package: xen Severity: important Tags: security Justification: user security hole Hi, This issue is still unfixed in Wheezy: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2625 Patch: http://xenbits.xensource.com/hg/xen-unstable.hg/rev/60f09d1ab1fe Cheers, Moritz

...M guests will avoid this vulnerability. RELATED ISSUE ============= CVE-2012-2625 covers a bug in pygrub which caused that process to consume excessive amount of memory under similar circumstances to the above. This was fixed in xen-unstable (and the fix inherited by Xen 4.2.x) in revision 25589:60f09d1ab1fe but not called out as a security problem. This fix is also included, where relevant, in the patches below. RESOLUTION ========== Applying the appropriate attached patch resolves this issue, including the related pygrub fix where neccesary. xsa25-unstable.patch Xen unstable xsa25-4.2.patch...

...(nb: use of pygrub *is* vulnerable). Running only HVM guests will avoid these vulnerabilities. RESOLUTION ========== Applying the appropriate attached patch resolves these issues. The pygrub problem (CVE-2012-2625) was fixed in xen-unstable (and the fix inherited by Xen 4.2.x) in revision 25589:60f09d1ab1fe but not called out as a security problem. This fix is also included, where necessary, in the patches below. xsa25-unstable.patch Xen unstable xsa25-4.2.patch Xen 4.2.x xsa25-4.1.patch Xen 4.1.x $ sha256sum xsa25*.patch 613e4b82cdc9cabf9cbd52076118887b298c47e680c206...

...timed out. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Zhigang Wang <zhigang.x.wang@oracle.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com> changeset: 25589:60f09d1ab1fe user: M A Young <m.a.young@durham.ac.uk> date: Wed Jul 04 15:46:14 2012 +0100 pygrub: cope better with big files in the guest. Only read the first megabyte of a configuration file (grub etc.) and read the kernel and ramdisk files from the guest in one megab...