search for: xsa

Dear Security Team, I have prepared a new upload addressing a number of open security issues in Xen. Due to the complexity of the patches that address XSA-273 [0] the packages have been built from upstream's staging-4.8 / staging-4.10 branch again as recommended in that advisory. Commits on those branches are restricted to those that address the following XSAs (cf. [1]): - XSA-273 (CVE-2018-3620, CVE-2018-3646) - XSA-272 (no CVE yet) - XSA-269 (...

...06cd8be106a63712df1c5daacd9d437fc88fb75f523476d60c840 xen-4.2.3-25.el6.centos.alt.src.rpm ===================================================== xen Changelog info from the SPEC file: * Sat Nov 23 2013 Johnny Hughes <johnny at centos.org> - 4.2.3-25.el6.centos - Roll in patch 145 and 146 for XSA-75 (CVE-2013-4551), XSA-78 (CVE-2013-6375) * Mon Nov 04 2013 Johnny Hughes <johnny at centos.org> - 4.2.3-24.el6.centos - Roll in patches 134 to 141, 143 to 144 for the following XSAs: - XSA-62 (CVE-2013-1442), XSA-63 (CVE-2013-4355), XSA-72 (CVE-2013-4416) - XSA-64 (CVE-2013-4356), XSA-66 (...

Hello, Are XSA-289 and XSA-274/CVE-2018-14678 fixed with Xen recent 4.8, 4.10 and kernel 4.9.177 packages ? Thank you

Ian Jackson writes ("64bit PV guest breakout [XSA-213]"): > Source: xen > Version: 4.4.1-9 > Severity: important > Tags: security upstream fixed-upstream > > See > https://xenbits.xen.org/xsa/advisory-213.html Ian Jackson writes ("grant transfer allows PV guest to elevate privileges [XSA-214]"): > Source:...

We just sent the message below to the security advisory predisclosure list, relating to the release of XSA-26 to XSA-32. As you will see, these have now been publicly released. We''ll have a proper conversation about this in a week or two. Thanks for your attention, Ian. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We regret to announce that a member of the predisclosure list discovered to...

Folks, I am pleased to announce the release of Xen 4.1.4. This is available immediately from its mercurial repository: http://xenbits.xen.org/xen-4.1-testing.hg (tag RELEASE-4.1.4) This fixes the following critical vulnerabilities: * CVE-2012-3494 / XSA-12: hypercall set_debugreg vulnerability * CVE-2012-3495 / XSA-13: hypercall physdev_get_free_pirq vulnerability * CVE-2012-3496 / XSA-14: XENMEM_populate_physmap DoS vulnerability * CVE-2012-3498 / XSA-16: PHYSDEVOP_map_pirq index vulnerability * CVE-2012-3515 / XSA-17: Qem...

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > On Thu, May 04, 2017 at 05:59:18PM +0100, Ian Jackson wrote: > > Should I put jessie-security in the debian/changelog and dgit push it > > (ie, from many people's pov, dput it) ? > > Yes, the distribution line should be jessie-security, but please se...

...>= 6.12 (Closes: #1092495). . xen (4.17.5+23-ga4e5191dc0-1) bookworm-security; urgency=medium . * Update to new upstream version 4.17.5+23-ga4e5191dc0, which also contains security fixes for the following issues: - x86: shadow stack vs exceptions from emulation stubs XSA-451 CVE-2023-46841 - x86: Register File Data Sampling XSA-452 CVE-2023-28746 - GhostRace: Speculative Race Conditions XSA-453 CVE-2024-2193 - x86 HVM hypercalls may trigger Xen bug check XSA-454 CVE-2023-46842 - x86: Incorrect logic for BTC/SRSO mitigations...

Looks like this never got a response from anyone. On 6/25/19 10:15 AM, Yuriy Kohut wrote: > Hello, > > Are XSA-289 and XSA-274/CVE-2018-14678 fixed with Xen recent 4.8, 4.10 and kernel 4.9.177 packages ? XSA-289 is a tricky subject. In the end, it was effectively decided that these patches were not recommended until they were reviewed again and XSA-289 has no official list of flaws or fixes as a result....

Source: xen Severity: grave Tags: security Multiple vulnerabilities are unfixed in xen: CVE-2015-5307: http://xenbits.xen.org/xsa/advisory-156.html CVE-2016-3960 http://xenbits.xen.org/xsa/advisory-173.html CVE-2016-3159 / CVE-2016-3158 http://xenbits.xen.org/xsa/advisory-172.html CVE-2016-2271 http://xenbits.xen.org/xsa/advisory-170.html CVE-2016-2270 http://xenbits.xen.org/xsa/advisory-154.html CVE-2016-1571 http://xen...

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > Yes, the distribution line should be jessie-security, but please send > a debdiff to team at security.debian.org for a quick review before > uploading (I have no idea whether dgit supports security-master). Here is the proposed debdiff (actually, a git diff) for xen...

Salvatore Bonaccorso writes ("Re: Updated Xen packages for XSA 216..225"): > On Tue, Jul 11, 2017 at 11:34:38PM +0200, Moritz Muehlenhoff wrote: > > On Mon, Jul 03, 2017 at 12:33:54PM +0100, Ian Jackson wrote: > > > Moritz M?hlenhoff writes ("Re: Updated Xen packages for XSA 216..225"): > > > > Sorry for the late re...

...06cd8be106a63712df1c5daacd9d437fc88fb75f523476d60c840 xen-4.2.3-25.el6.centos.alt.src.rpm ===================================================== xen Changelog info from the SPEC file: * Sat Nov 23 2013 Johnny Hughes <johnny at centos.org> - 4.2.3-25.el6.centos - Roll in patch 145 and 146 for XSA-75 (CVE-2013-4551), XSA-78 (CVE-2013-6375) * Mon Nov 04 2013 Johnny Hughes <johnny at centos.org> - 4.2.3-24.el6.centos - Roll in patches 134 to 141, 143 to 144 for the following XSAs: - XSA-62 (CVE-2013-1442), XSA-63 (CVE-2013-4355), XSA-72 (CVE-2013-4416) - XSA-64 (CVE-2013-4356), XSA-66 (...

Moritz M?hlenhoff writes ("Re: Updated Xen packages for XSA 216..225"): > Since the queue was already quite big and this update was ready > I went ahead and released what we had for now. Yes, sorry, I should have been explicit that that's what I expected you to do... Ian.

...security updates. This is a SIG that requires community participation .. so far, George Dunlap and I are really the only people contributing. This is volunteer work for both of us. We could stand some more volunteers. In any event, the updates we release come from here: https://xenbits.xen.org/xsa/ When they release an XSA, we incorporate it and do a new release. Support for older releases will be done (currently by only me .. volunteers welcome) based on this schedule: https://wiki.xenproject.org/wiki/Xen_Project_Release_Features So, we will support 4.4 on CentOS-6 until 'March 2017...

Xen 4.4.4 along with kernel 4.9.44 containing patches for XSAs (226 - 230) from August 15th are now available in centos-virt-testing. If possible, please test and provide feedback here so we can move these to release soon. XSA-228 did not affect Xen 4.4 XSA-229 only applies to the kernel XSA-235 disclosed today only affects ARM and isn't going to be ad...

...mind) As long as Kevin (or anyone else) maintains the tree, I am happy to build them into the repos. On 11/28/2017 07:38 AM, Pasi K?rkk?inen wrote: > Hi, > > On Wed, Aug 23, 2017 at 04:02:46PM -0500, Kevin Stange wrote: >> Xen 4.4.4 along with kernel 4.9.44 containing patches for XSAs (226 - >> 230) from August 15th are now available in centos-virt-testing. If >> possible, please test and provide feedback here so we can move these to >> release soon. >> >> XSA-228 did not affect Xen 4.4 >> XSA-229 only applies to the kernel >> >>...

There are xen rpms in the testing repos for XSA 207 and 208 in the testing repos (xen-4.4.4-18.el6, xen-4.6.3-7.el6, xen-4.6.3-7.el7). You can enable the applicable centos-virt-xen-testing repo in your /etc/yum.repos.d/CentOS-Xen.repo file. Please report positive and negative tests to this list so we can promote the updates to the main repos....

...e are for security or other reasons? On 02/17/2017 09:51 AM, Johnny Hughes wrote: > These updates have now been pushed to mirror.centos.org and you can get > them from the main repos. > > On 02/15/2017 08:27 AM, Johnny Hughes wrote: >> There are xen rpms in the testing repos for XSA 207 and 208 in the >> testing repos (xen-4.4.4-18.el6, xen-4.6.3-7.el6, xen-4.6.3-7.el7). >> >> You can enable the applicable centos-virt-xen-testing repo in your >> /etc/yum.repos.d/CentOS-Xen.repo file. >> >> Please report positive and negative tests to this l...

Source: xen Version: 4.8.1~pre.2017.01.23-1 Severity: grave Tags: security upstream Justification: user security hole Hi, the following vulnerability was published for xen. CVE-2017-7228[0]: | An issue (known as XSA-212) was discovered in Xen, with fixes available | for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix | introduced an insufficient check on XENMEM_exchange input, allowing the | caller to drive hypervisor memory accesses outside of the guest | provided input/output arrays. If you fi...