similar to: Bug#609531: CVE-2010-4255: 64-bit PV xen guest can crash host by accessing hypervisor per-domain memory area

Package: xen-hypervisor-4.0-i386 Version: 4.0.1~rc6-1 Severity: important --- Please enter the report below this line. --- Booting up the Xen Dom0 fails with an error in "i387.c:159" --- System information. --- Architecture: i386 Kernel: Linux 2.6.32-5-686-bigmem Kernel: Linux 2.6.32-5-xen-686 Debian Release: squeeze/sid 500 testing security.debian.org 500

Package: xen-utils-4.0 Version: 4.0.1-1 Severity: normal Tags: patch pygrub could not boot a newly-updated Debian/testing domU with a non-chained grub2. The traceback was: Using <class 'grub.GrubConf.Grub2ConfigFile'> to parse /grub/grub.cfg WARNING:root:Unknown directive load_video WARNING:root:Unknown directive terminal_output Traceback (most recent call last): File

Package: xen-hypervisor-4.0-amd64 Version: 4.0.1-1 Severity: grave Tags: squeeze upstream Some newer hardware components (it is unclear what exactly causes the issue) render xen-hyervisor unusable as it crashes immediately after boot for the Debian out-of-box configuration. This results in a system rebooting all over again if the hypervisor is choosen as default stanza to be booted by grub

Package: xen-hypervisor-4.1-amd64 Version: 4.1.4-3+deb7u4 Severity: critical Hi, Not sure how come I'm the first one to file this kind of a bug report :) but here goes JFTR... http://xenbits.xen.org/xsa/advisory-123.html was embargoed, but advance warning was given to several big Xen VM farms, which led to e.g. https://aws.amazon.com/premiumsupport/maintenance-2015-03/

Package: xen Severity: grave Tags: security Please see http://www.openwall.com/lists/oss-security/2012/07/26/4 Cheers, Moritz

Package: xen Severity: important Tags: security Justification: user security hole Hi, This issue is still unfixed in Wheezy: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2625 Patch: http://xenbits.xensource.com/hg/xen-unstable.hg/rev/60f09d1ab1fe Cheers, Moritz

Source: xen Severity: grave Tags: security Hi, the following security issues apply to Xen in jessie: CVE-2014-5146,CVE-2014-5149: https://marc.info/?l=oss-security&m=140784877111813&w=2 CVE-2014-8594: https://marc.info/?l=oss-security&m=141631359901060&w=2 CVE-2014-8595: https://marc.info/?l=oss-security&m=141631352601020&w=2 Cheers, Moritz

Source: xen Severity: important Tags: security Please see http://xenbits.xen.org/xsa/advisory-125.html http://xenbits.xen.org/xsa/advisory-126.html http://xenbits.xen.org/xsa/advisory-127.html Cheers, Moritz

Source: xen Severity: important Tags: security Hi, please see http://xenbits.xen.org/xsa/advisory-116.html for details and a patch. Cheers, Moritz

Source: xen Severity: important Tags: security http://xenbits.xen.org/xsa/advisory-119.html Cheers, Moritz

Salvatore Bonaccorso writes ("Re: Updated Xen packages for XSA 216..225"): > On Tue, Jul 11, 2017 at 11:34:38PM +0200, Moritz Muehlenhoff wrote: > > On Mon, Jul 03, 2017 at 12:33:54PM +0100, Ian Jackson wrote: > > > Moritz M?hlenhoff writes ("Re: Updated Xen packages for XSA 216..225"): > > > > Sorry for the late reply, was on vacation for a week.

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > On Thu, May 04, 2017 at 05:59:18PM +0100, Ian Jackson wrote: > > Should I put jessie-security in the debian/changelog and dgit push it > > (ie, from many people's pov, dput it) ? > > Yes, the distribution line should be jessie-security, but please send > a

On Mon, Jul 03, 2017 at 12:33:54PM +0100, Ian Jackson wrote: > Moritz M?hlenhoff writes ("Re: Updated Xen packages for XSA 216..225"): > > Sorry for the late reply, was on vacation for a week. What's the status > > of jessie? Most of the XSAs seem to affect oldstable as well. > > Sorry, I forgot about them... > > I will see what I can do. Did you look

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > On Thu, May 04, 2017 at 05:06:07PM +0100, Ian Jackson wrote: > > I have fixed these in stretch but the jessie package remains unfixed. > > I think I may be able to find some backports somewhere. Would that be > > useful ? Is anyone else working on this ? > >

On Wed, Nov 19, 2014 at 11:45:02PM +0100, Moritz Muehlenhoff wrote: > Source: xen > Severity: grave > Tags: security > > Hi, > the following security issues apply to Xen in jessie: > > CVE-2014-5146,CVE-2014-5149: > https://marc.info/?l=oss-security&m=140784877111813&w=2 > > CVE-2014-8594: >

Processing commands for control at bugs.debian.org: > # As per Moritz, not blockers > user release.debian.org at packages.debian.org Setting user to release.debian.org at packages.debian.org (was adam at adam-barratt.org.uk). > tag 609531 + squeeze-ignore Bug #609531 [xen] CVE-2010-4255: 64-bit PV xen guest can crash host by accessing hypervisor per-domain memory area Added tag(s)

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > Yes, the distribution line should be jessie-security, but please send > a debdiff to team at security.debian.org for a quick review before > uploading (I have no idea whether dgit supports security-master). Here is the proposed debdiff (actually, a git diff) for xen in jessie. My

Hi Steven, I onced played with your PV-on-HVM driver before it is checked in into unstable, I remember at that time, there is a XENFEAT_64bit_shared_info flag to handle situation of 32bit guest on 64bit hypervisor, at least vnif works fine with it. Later, when the code is checked in, this flag is gone. At first I though this was an effort to make hypervisor more transparent to HVM guest, but now

Source: xen Version: 4.1.2-2 Severity: critical Tags: security Justification: allows PV domains to escape into the dom0 context Hi, I realize you're most likely pretty well aware of that problem already, but Debian's Xen versions are vulnerable to a PV privilege escalation [1]. The issue is tracked as CVE-2012-0217 and public as of today. Therefore I am filing this bug for coordination

retitle 776319 xen: CVE-2015-0361 CVE-2015-1563 thanks On Mon, Jan 26, 2015 at 08:52:53PM +0100, Moritz Muehlenhoff wrote: > Source: xen > Severity: important > Tags: security > > Hi, > please see http://xenbits.xen.org/xsa/advisory-116.html > for details and a patch. Also http://xenbits.xen.org/xsa/advisory-118.html needs to be fixed in jessie. Cheers, Moritz