Displaying 20 results from an estimated 20000 matches similar to: "Xen 4.6.3-3: Import XSA-190"
2017 Feb 18
0
Xen updates in the Testing Repo for XSA-207 and XSA-208
On 02/17/2017 02:32 PM, Kevin Stange wrote:
> Given the circumstances, might it make sense to offer formal advisories
> of some type for these to indicate when the packages going to live are
> for security or other reasons?
>
We release xen every 2nd (even numbered) release as a goal (4.4, 4.6, 4.8)
We don't normally release anything other than security updates. This is
a SIG
2017 Feb 17
2
Xen updates in the Testing Repo for XSA-207 and XSA-208
Given the circumstances, might it make sense to offer formal advisories
of some type for these to indicate when the packages going to live are
for security or other reasons?
On 02/17/2017 09:51 AM, Johnny Hughes wrote:
> These updates have now been pushed to mirror.centos.org and you can get
> them from the main repos.
>
> On 02/15/2017 08:27 AM, Johnny Hughes wrote:
>> There
2014 Jul 07
2
Xen 4.4.1-rc1+ rebase
I've got a first cut of the rebase here:
git://github.com/gwd/sig-virt-xen out/update-4.4.1-rc1-ee81dda-RFC
To build it, you'll need to download the polarssl tarball:
http://xenbits.xen.org/xen-extfiles/polarssl-1.1.4-gpl.tgz
And you'll need a tarball based on (unfortunately) a private tree,
which you can find here:
git://github.com/gwd/xen base/update-4.4.1-rc1-ee81dda-RFC
This
2017 May 04
2
Xen package security updates for jessie 4.4, XSA-213, XSA-214
Ian Jackson writes ("64bit PV guest breakout [XSA-213]"):
> Source: xen
> Version: 4.4.1-9
> Severity: important
> Tags: security upstream fixed-upstream
>
> See
> https://xenbits.xen.org/xsa/advisory-213.html
Ian Jackson writes ("grant transfer allows PV guest to elevate privileges [XSA-214]"):
> Source: xen
> Version: 4.4.1-9
> Severity:
2015 May 15
2
CVE-2015-3456 / XSA-133 / "Venom" @ Debian Xen
Hello Debian Xen team,
I have two questions regarding Xen vulnerability CVE-2015-3456 / XSA-133
/ "Venom" in Debian [1]:
* I noticed that [1] says 4.4.1-9 not to be vulnerable ("fixed")
but according to the Debian Changelog [2] 4.4.1-9 appeared
in Debian before XSA-133 was published and
xen_4.4.1-9.debian.tar.xz [3] does not seem to contain
any XSA-133 patch.
2018 Aug 15
6
Xen Security Update - XSA-{268,269,272,273}
Dear Security Team,
I have prepared a new upload addressing a number of open security
issues in Xen.
Due to the complexity of the patches that address XSA-273 [0] the
packages have been built from upstream's staging-4.8 / staging-4.10
branch again as recommended in that advisory. Commits on those branches
are restricted to those that address the following XSAs (cf. [1]):
- XSA-273
2017 Apr 04
4
Bug#859560: xen: CVE-2017-7228: x86: broken check in memory_exchange() permits PV guest breakout (XSA-212)
Source: xen
Version: 4.8.1~pre.2017.01.23-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerability was published for xen.
CVE-2017-7228[0]:
| An issue (known as XSA-212) was discovered in Xen, with fixes available
| for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix
| introduced an insufficient check on XENMEM_exchange input,
2018 Jan 17
4
Xen 4.6.6-9 (with XPTI meltdown mitigation) packages making their way to centos-virt-xen-testing
I've built & tagged packages for CentOS 6 and 7 4.6.6-9, with XPTI
"stage 1" Meltdown mitigation.
This will allow 64-bit PV guests to run safely (with a few caveats),
but incurs a fairly significant slowdown for 64-bit PV guests on Intel
boxes (including domain 0).
If you prefer using Vixen / Comet, you can turn it off by adding
'xpti=0' to your Xen command-line.
2015 May 02
2
Bug#784011: xen: CVE-2015-3340: Information leak through XEN_DOMCTL_gettscinfo (XSA-132)
Source: xen
Version: 4.4.1-9
Severity: normal
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for xen.
CVE-2015-3340[0]:
| Xen 4.2.x through 4.5.x does not initialize certain fields, which
| allows certain remote service domains to obtain sensitive information
| from memory via a (1) XEN_DOMCTL_gettscinfo or (2)
| XEN_SYSCTL_getdomaininfolist request.
2015 Nov 19
3
CentOS 6 Xen package update (including XSA-156)
On Wed, Nov 18, 2015 at 1:31 PM, Pasi K?rkk?inen <pasik at iki.fi> wrote:
> On Wed, Nov 18, 2015 at 02:20:49PM +0200, Manuel Wolfshant wrote:
>> On 11/18/2015 02:08 PM, Pasi K?rkk?inen wrote:
>> >Hello,
>> >
>> >On Sun, Nov 15, 2015 at 06:42:18PM +0200, Pasi K?rkk?inen wrote:
>> >>On Sun, Nov 15, 2015 at 02:04:58PM +0200, Pasi K?rkk?inen wrote:
2023 Feb 18
1
Bug#1031567: xen: CVE-2022-27672: XSA-426: x86: Cross-Thread Return Address Predictions
Source: xen
Version: 4.17.0+24-g2f8851c37f-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for xen, filling with RC
severity (for ideally fixed before bookworm release):
CVE-2022-27672[0]:
| When SMT is enabled, certain AMD processors may speculatively execute
|
2016 Mar 29
1
XSA-172
xen 4.6.1-5 has been build and should be available in buildlogs soon
(available via the centos-virt-xen-testing repo).
More information can be found here:
http://xenbits.xen.org/xsa/advisory-172.html
A signed copy should hit the mirrors tomorrow.
Please report any problems on this list.
Thanks,
-George
2018 Jan 16
1
"Vixen" HVM shim package available in virt-xen-testing
To install the package:
yum --enablerepo=virt-xen-VV-testing xen-vixen
Where VV is '44', '46', or '48', depending on which version you're
using. (It's the same package for all versions.)
This will install the xen-vixen "shim" binary, as well as the
pvshim-converter script.
See XSA-254 [1] for detailed information about who should use it, why,
and
2015 Nov 25
0
CentOS 6 Xen package update (including XSA-156)
On Thu, Nov 19, 2015 at 12:28 PM, George Dunlap <dunlapg at umich.edu> wrote:
> On Wed, Nov 18, 2015 at 1:31 PM, Pasi K?rkk?inen <pasik at iki.fi> wrote:
>> On Wed, Nov 18, 2015 at 02:20:49PM +0200, Manuel Wolfshant wrote:
>>> On 11/18/2015 02:08 PM, Pasi K?rkk?inen wrote:
>>> >Hello,
>>> >
>>> >On Sun, Nov 15, 2015 at 06:42:18PM
2018 Jan 18
0
Xen 4.6.6-9 (with XPTI meltdown mitigation) packages making their way to centos-virt-xen-testing
Thanks George.
As there are now quite many options to choose from, what would be the
best option performance wise for running 32bit domUs under xen-4.6?
Best,
Peter
On Wed, Jan 17, 2018 at 7:14 PM, George Dunlap <dunlapg at umich.edu> wrote:
> I've built & tagged packages for CentOS 6 and 7 4.6.6-9, with XPTI
> "stage 1" Meltdown mitigation.
>
> This will
2012 Dec 18
2
[ANNOUNCE] Xen 4.1.4 released
Folks,
I am pleased to announce the release of Xen 4.1.4. This is
available immediately from its mercurial repository:
http://xenbits.xen.org/xen-4.1-testing.hg (tag RELEASE-4.1.4)
This fixes the following critical vulnerabilities:
* CVE-2012-3494 / XSA-12:
hypercall set_debugreg vulnerability
* CVE-2012-3495 / XSA-13:
hypercall physdev_get_free_pirq vulnerability
* CVE-2012-3496 /
2015 Dec 10
1
Xen4CentOS and XSA-142
It looks like no XSA-142 patch, which is "libxl fails to honour readonly flag on disks with qemu-xen" has been applied to Xen4CentOS. I assume this
was on purpose?
If not, I can have someone try adding the original patch from http://xenbits.xen.org/xsa/advisory-142.html and some variant of the commit from
ef6cb76026628e26e3d1ae53c50ccde1c3c78b1b
2015 Apr 23
3
Xen 4.4.2 (with XSA-132) in virt6-testing
I've got Xen 4.4.2 in virt6-testing. I haven't had a chance to test
it, and won't for another week or two; but if some volunteers can put
it through its paces, I can ask Johnny to push it to the public repo
sometome early next week.
Thanks,
-George
2015 Nov 30
0
No separate XSA-162 package
Hey all, just a heads-up: XSA-162 [1] was released to the public this
morning at 0600 UTC. It is, however, a bug in a non-default network
card with a simple work-around (don't use that network card). Since
there are a large number of updates due next week, and this is a
fairly low-priority one, I decided not to do a package release
specifically for it, and to include all the updates (through
2017 Sep 07
2
Updated Xen packages for XSA 216..225
(*Really* switching to my personal address not because I'm not doing
work for Citrix, but because the corporate email is not working
properly. Sigh. Also, email updated a bit.)
Ian Jackson writes ("Re: Updated Xen packages for XSA 216..225"):
> Ian Jackson writes ("Re: Updated Xen packages for XSA 216..225"):
> > Hi. I was away and am now back. There are a lot