Displaying 20 results from an estimated 4000 matches similar to: "Xen package security updates for jessie 4.4, XSA-213, XSA-214"
2017 May 04
2
Bug#861660: Xen package security updates for jessie 4.4, XSA-213, XSA-214
Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"):
> On Thu, May 04, 2017 at 05:59:18PM +0100, Ian Jackson wrote:
> > Should I put jessie-security in the debian/changelog and dgit push it
> > (ie, from many people's pov, dput it) ?
>
> Yes, the distribution line should be jessie-security, but please send
> a
2017 May 04
3
Bug#861660: Xen package security updates for jessie 4.4, XSA-213, XSA-214
Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"):
> On Thu, May 04, 2017 at 05:06:07PM +0100, Ian Jackson wrote:
> > I have fixed these in stretch but the jessie package remains unfixed.
> > I think I may be able to find some backports somewhere. Would that be
> > useful ? Is anyone else working on this ?
>
>
2017 May 04
4
Xen package security updates for jessie 4.4, XSA-213, XSA-214
Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"):
> Yes, the distribution line should be jessie-security, but please send
> a debdiff to team at security.debian.org for a quick review before
> uploading (I have no idea whether dgit supports security-master).
Here is the proposed debdiff (actually, a git diff) for xen in jessie.
My
2017 Apr 04
4
Bug#859560: xen: CVE-2017-7228: x86: broken check in memory_exchange() permits PV guest breakout (XSA-212)
Source: xen
Version: 4.8.1~pre.2017.01.23-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerability was published for xen.
CVE-2017-7228[0]:
| An issue (known as XSA-212) was discovered in Xen, with fixes available
| for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix
| introduced an insufficient check on XENMEM_exchange input,
2017 Jul 17
2
Updated Xen packages for XSA 216..225
Salvatore Bonaccorso writes ("Re: Updated Xen packages for XSA 216..225"):
> On Tue, Jul 11, 2017 at 11:34:38PM +0200, Moritz Muehlenhoff wrote:
> > On Mon, Jul 03, 2017 at 12:33:54PM +0100, Ian Jackson wrote:
> > > Moritz M?hlenhoff writes ("Re: Updated Xen packages for XSA 216..225"):
> > > > Sorry for the late reply, was on vacation for a week.
2015 Mar 10
2
Bug#780227: XSA-123 / CVE-2015-2151 Hypervisor memory corruption due to x86 emulator flaw
Package: xen-hypervisor-4.1-amd64
Version: 4.1.4-3+deb7u4
Severity: critical
Hi,
Not sure how come I'm the first one to file this kind of a bug report :)
but here goes JFTR...
http://xenbits.xen.org/xsa/advisory-123.html was embargoed, but advance
warning was given to several big Xen VM farms, which led to e.g.
https://aws.amazon.com/premiumsupport/maintenance-2015-03/
2017 Jul 11
2
Updated Xen packages for XSA 216..225
On Mon, Jul 03, 2017 at 12:33:54PM +0100, Ian Jackson wrote:
> Moritz M?hlenhoff writes ("Re: Updated Xen packages for XSA 216..225"):
> > Sorry for the late reply, was on vacation for a week. What's the status
> > of jessie? Most of the XSAs seem to affect oldstable as well.
>
> Sorry, I forgot about them...
>
> I will see what I can do.
Did you look
2017 Jun 20
4
Updated Xen packages for XSA 216..225
FYI I will have an upload ready RSN. Where should I send it ?
Matthew Vernon has offered to test my amd64 binaries. I will test the
i386 packages myself.
Ian.
2017 Sep 13
2
Updated Xen packages for XSA 216..225
Moritz M?hlenhoff writes ("Re: Updated Xen packages for XSA 216..225"):
> Since the queue was already quite big and this update was ready
> I went ahead and released what we had for now.
Yes, sorry, I should have been explicit that that's what I expected
you to do...
Ian.
2015 May 15
2
CVE-2015-3456 / XSA-133 / "Venom" @ Debian Xen
Hello Debian Xen team,
I have two questions regarding Xen vulnerability CVE-2015-3456 / XSA-133
/ "Venom" in Debian [1]:
* I noticed that [1] says 4.4.1-9 not to be vulnerable ("fixed")
but according to the Debian Changelog [2] 4.4.1-9 appeared
in Debian before XSA-133 was published and
xen_4.4.1-9.debian.tar.xz [3] does not seem to contain
any XSA-133 patch.
2017 Sep 04
3
Updated Xen packages for XSA 216..225
On Mon, Aug 07, 2017 at 01:15:56PM +0200, Moritz Muehlenhoff wrote:
> On Mon, Jul 17, 2017 at 03:58:20PM +0100, Ian Jackson wrote:
> > Salvatore Bonaccorso writes ("Re: Updated Xen packages for XSA 216..225"):
> > > On Tue, Jul 11, 2017 at 11:34:38PM +0200, Moritz Muehlenhoff wrote:
> > > > On Mon, Jul 03, 2017 at 12:33:54PM +0100, Ian Jackson wrote:
>
2016 May 06
3
Bug#823620: Multiple security issues
Source: xen
Severity: grave
Tags: security
Multiple vulnerabilities are unfixed in xen:
CVE-2015-5307:
http://xenbits.xen.org/xsa/advisory-156.html
CVE-2016-3960
http://xenbits.xen.org/xsa/advisory-173.html
CVE-2016-3159 / CVE-2016-3158
http://xenbits.xen.org/xsa/advisory-172.html
CVE-2016-2271
http://xenbits.xen.org/xsa/advisory-170.html
CVE-2016-2270
2018 Aug 15
6
Xen Security Update - XSA-{268,269,272,273}
Dear Security Team,
I have prepared a new upload addressing a number of open security
issues in Xen.
Due to the complexity of the patches that address XSA-273 [0] the
packages have been built from upstream's staging-4.8 / staging-4.10
branch again as recommended in that advisory. Commits on those branches
are restricted to those that address the following XSAs (cf. [1]):
- XSA-273
2015 May 02
2
Bug#784011: xen: CVE-2015-3340: Information leak through XEN_DOMCTL_gettscinfo (XSA-132)
Source: xen
Version: 4.4.1-9
Severity: normal
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for xen.
CVE-2015-3340[0]:
| Xen 4.2.x through 4.5.x does not initialize certain fields, which
| allows certain remote service domains to obtain sensitive information
| from memory via a (1) XEN_DOMCTL_gettscinfo or (2)
| XEN_SYSCTL_getdomaininfolist request.
2015 Mar 31
1
Bug#781620: CVE-2015-2751 CVE-2015-2752 CVE-2015-2756
Source: xen
Severity: important
Tags: security
Please see
http://xenbits.xen.org/xsa/advisory-125.html
http://xenbits.xen.org/xsa/advisory-126.html
http://xenbits.xen.org/xsa/advisory-127.html
Cheers,
Moritz
2015 Jan 26
2
Bug#776319: CVE-2015-0361
Source: xen
Severity: important
Tags: security
Hi,
please see http://xenbits.xen.org/xsa/advisory-116.html
for details and a patch.
Cheers,
Moritz
2015 Dec 10
1
Xen4CentOS and XSA-142
It looks like no XSA-142 patch, which is "libxl fails to honour readonly flag on disks with qemu-xen" has been applied to Xen4CentOS. I assume this
was on purpose?
If not, I can have someone try adding the original patch from http://xenbits.xen.org/xsa/advisory-142.html and some variant of the commit from
ef6cb76026628e26e3d1ae53c50ccde1c3c78b1b
2014 Aug 10
1
Bug#757724: Multiple security issues
Source: xen
Severity: grave
Tags: security
The following security issues are still open in 4.4.0-1:
Xen Security Advisory CVE-2014-2599 / XSA-89
https://marc.info/?l=oss-security&m=139643934717922&w=2
Xen Security Advisory CVE-2014-3124 / XSA-92
https://marc.info/?l=oss-security&m=139894169729664&w=2
Xen Security Advisory CVE-2014-3967,CVE-2014-3968 / XSA-96
2019 Jun 25
2
Are XSA-289, XSA-274/CVE-2018-14678 fixed ?
Hello,
Are XSA-289 and XSA-274/CVE-2018-14678 fixed with Xen recent 4.8, 4.10 and kernel 4.9.177 packages ?
Thank you
2017 Aug 23
2
4.4.4-26 with XSA-226, 227, 230 in centos-virt-testing
Xen 4.4.4 along with kernel 4.9.44 containing patches for XSAs (226 -
230) from August 15th are now available in centos-virt-testing. If
possible, please test and provide feedback here so we can move these to
release soon.
XSA-228 did not affect Xen 4.4
XSA-229 only applies to the kernel
XSA-235 disclosed today only affects ARM and isn't going to be added to
these packages.
Thanks.
--