Summary: | <app-emulation/xen-3.4.2-r3: IOMMU fault DoS (CVE-2011-3131) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | xen |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://xenbits.xen.org/hg/staging/xen-4.1-testing.hg/rev/84e3706df07a | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 383977, 384361 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2011-08-15 10:19:36 UTC
Fixed in cvs Its fixed in xen-4.1.1-r2 Thanks Alexey. The vulnerability _seems_ affect only 4.x version, so in tree the stable version is 3.x You want to stabilize 4.1.1-r2 equally? (In reply to comment #3) > Thanks Alexey. > > The vulnerability _seems_ affect only 4.x version, so in tree the stable > version is 3.x > Based on what? Reading the 3.x code, it very much looks affected to me. Also, SUSE has issued and update for this issue in xen-3: http://support.novell.com/security/cve/CVE-2011-3131.html > You want to stabilize 4.1.1-r2 equally? We're not going to do a major version bump for fixing a security issue. We'll either need proof that this issue does not affect xen-3 (which I doubt), or a revbumped xen-3 package. (In reply to comment #4) > Based on what? Secunia advisory says it, but I've not checked manually, is the reason because I sayd "_seems_" sorted with substantial co-operation from a number of the faithful. Fixes for xen-3 and xen-4 are done, the former not yet in the tree. Watch this space.. The fixes are in the tree Arches, please test & mark stable; app-emulation/xen-4.1.1-r2, app-emulation/xen-tools-4.1.1-r5, app-emulation/xen-pvgrub-4.1.1-r1 target keywords "AMD64 X86". (In reply to comment #8) > Arches, please test & mark stable; > > app-emulation/xen-4.1.1-r2, > app-emulation/xen-tools-4.1.1-r5, > app-emulation/xen-pvgrub-4.1.1-r1 > > target keywords "AMD64 X86". We will wait for fixed version of xen-3 fixed version of xen-3 is in the tree Arches, please test & mark stable; update to xen-3 ONLY (exclude xen-4) app-emulation/xen-3.4.2-r2, app-emulation/xen-tools 3.4.2-r1 re-patched the patch for the 1st step xen-tools. Needed two adjustments. Have re-tested. archtester xen-tools # ebuild xen-tools-3.4.2-r1.ebuild compile ....................................................... archtester xen-tools # >>> Source compiled. Please re-try It appears the xen-tools has an issue with the recently stabled gcc-4.5.3-r1 33977 fixed; app-emulation/xen-3.4.2-r2, app-emulation/xen-tools 3.4.2-r2 Arches please target: app-emulation/xen-3.4.2-r2 app-emulation/xen-tools 3.4.2-r3 (In reply to comment #15) > Arches please target: > app-emulation/xen-3.4.2-r2 > app-emulation/xen-tools 3.4.2-r3 More recent versions have been stabilized in bug #360621 . How do we proceed? (In reply to comment #16) > More recent versions have been stabilized in bug #360621 . How do we proceed? Stabilise the requested versions in addition to the 4.x versions, then remove yourself from CC. Arches please target: app-emulation/xen-3.4.2-r3 app-emulation/xen-tools 3.4.2-r3 Sorry @all for the extra mailspam. I'd recommend to remove /.config before tests =) amd64 ok, the other issues are not a blockers. ok, on syncing to current tree versions; archtester ~ # ls -ld /.config/ ls: cannot access /.config/: No such file or directory emerge =app-emulation/xen-tools-3.4.2-r3 >>> Emerging (1 of 1) app-emulation/xen-tools-3.4.2-r3 >>> Installing (1 of 1) app-emulation/xen-tools-3.4.2-r3 archtester ~ # emerge =app-emulation/xen-3.4.2-r3 >>> Emerging (3 of 3) app-emulation/xen-3.4.2-r3 >>> Installing (3 of 3) app-emulation/xen-3.4.2-r3 + 25 Sep 2011; Tony Vroon <chainsaw@gentoo.org> xen-3.4.2-r3.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #379241. + 25 Sep 2011; Tony Vroon <chainsaw@gentoo.org> xen-tools-3.4.2-r3.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #379241. X86 please proceed; the -r3s are GCC 4.5/4.6 capable. (In reply to comment #21) > X86 please proceed; the -r3s are GCC 4.5/4.6 capable. x86 stable, BUT: xen-tools-3.4.2-r3 has a missing dependency with USE="doc": [...] (/usr/share/texmf-dist/tex/latex/base/ifthen.sty) ! LaTeX Error: File `xcolor.sty' not found. Type X to quit or <RETURN> to proceed, or enter new name. (Default extension: sty) Enter file name: ! Emergency stop. <read *> l.10 \usepackage {textcomp}^^M ! ==> Fatal error occurred, no output PDF file produced! (In reply to comment #22) > x86 stable, BUT: > > xen-tools-3.4.2-r3 has a missing dependency with USE="doc": It was already filed and is not a regression, thanks anyway ;) @security, Please proceed with glsa voting. Thanks, folks. GLSA Vote: yes. Vote: NO. GLSA vote: NO. Closing noglsa. |